Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CGNAT BYPASS NEXTCLOUD ONLY DETECT PRIVATE IP

    OpenVPN
    2
    7
    575
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 0
      0t73r
      last edited by

      Hello Gangs,

      I have established vpn tun via VPS, where my home ip is cgnat. Publicly I can access my NEXTCLOUD via port forwarding after establishing VPN. However when I see logs from NEXTCLOUD logs, I can only see private VPN IP address of the VPS.
      How to achieve so that NEXTCLOUD actually see real client public ip.

      Below is best describe the topology

      VPS
      WAN Public IP VPN VPS INT VPN CGNAT INT LAN IP NEXTCLOUD
      100.x.x.x -------->192.168.100.1<--->192.168.100.2<--------> 192.168.5.5

      from NEXTCLOUD logs I can only see 192.168.100.1 that is accessing the server not the actual IP address of actual public IP from client.

      Hopefully someone can have look and provide assistance.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @0t73r
        last edited by

        @0t73r said in CGNAT BYPASS NEXTCLOUD ONLY DETECT PRIVATE IP:

        VPS
        WAN Public IP VPN VPS INT VPN CGNAT INT LAN IP NEXTCLOUD
        100.x.x.x -------->192.168.100.1<--->192.168.100.2<--------> 192.168.5.5

        from NEXTCLOUD logs I can only see 192.168.100.1

        So obviously there is an outbound NAT rule applied to the traffic on the VPS VPN interface.
        pfSense doesn't this by default, so I guess, you have added it manually? If so remove it again.

        0 1 Reply Last reply Reply Quote 0
        • 0
          0t73r @viragomann
          last edited by

          @viragomann

          Yes there is outbound rule but that what makes port forwarding to my home NEXTCLOUD works.

          Do you have an alternative solution?

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @0t73r
            last edited by

            @0t73r
            If you haven't done already, on the home pfSense assign an interface to the OpenVPN client instance. Interfaces > Assignments.

            Then go the the OpenVPN rule tab, edit the pass rule and change the interface to the new OpenVPN client interface.
            I'm assuming, you have only one pass rule there.

            Ensure that there is no pass rule on the OpenVPN tab and no floating pass rule matching the forwarded traffic from the VPS.

            On the VPS pfSense remove the outbound NAT rule from the VPN interface.

            0 1 Reply Last reply Reply Quote 0
            • 0
              0t73r @viragomann
              last edited by

              @viragomann

              It seems I forgot what vpn I use. I wrote this post from memory. It turns out Im using wireguard at the moment.

              Yes vpn wireguard interface rule created and allowing all. As soon I disable outbound NAT, no access to NEXTCLOUD from public facing interface.

              V 1 Reply Last reply Reply Quote 0
              • 0
                0t73r
                last edited by

                Thanks for the suggestion @viragomann. Public packets are now passing through once I removed rules from default wireguard interface and adding allow rules from the wireguard created interfaces

                1 Reply Last reply Reply Quote 0
                • V
                  viragomann @0t73r
                  last edited by

                  @0t73r
                  It behaves equal with Wireguard. After configuring an instance, pfSense creates the Wireguard group on the rules page. But you have to assign a unique interface to your instance for your rules and remove all from the group tab.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.