Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT and OpenVPN - trying to understand how this works

    Scheduled Pinned Locked Moved NAT
    6 Posts 4 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 0
      0lek
      last edited by

      Guys,

      I'd like to first say hi to everybody.

      Today I finally had some time and set up PIA OpenVPN on the pfsense box. I followed https://forum.pfsense.org/index.php?topic=76015.0, an amazing tutorial, thanks!

      No everything works. I just can't seem to understand why. Here's my question: (scroll down for a tl;dr)

      My question is, how exactly are the NAT rules to follow selected? What I have now, I have 1 route for source being LAN and destination WAN and below that I have another one, which has the destination PIA VPN. If the rules were matched like firewall rules, then traffic should be NAT'ed to a WAN address. However, everything is NAT'ed (correctly) to PIA VPN.
      Also, if I look at the gateways, WAN is the default gateway. Which is even more confusing, as clearly all traffic goes through VPN.

      I punctually added a manual override for routing via VPN for specific hosts. Firewall rule in LAN, explicitly set the gateway - works.

      Also, I have a VPN server. I had to add a manual NAT rule for the tunnel network to go out via VPN - works as well.

      I read somewhere that when you add the route-nopull advanced conf, OpenVPN will not "hijack" the routing. So I'd like to know how it hijacks it now, just for my peace of mind :)

      If anybody has a couple of mins, please explain that to me or point to searches/books/tutorials - I can't even generate a proper search query to find anything interesting :)

      tl;dr: OpenVPN client works, but I don't understand how. ELI5: NAT and GW.

      Thanks!
      0lek

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        The firewall rules determine which packets are passed, and then where they go - either to the ordinary routing table (which mostly results in going out the default gateway) or to a gateway or gateway group specified in the rule. So putting a gateway on rules on LAN or on the OpenVPN (for road warriors or remote sites on site-to-site VPN links) will make the traffic go into the OpenVPN link to PIA.

        Then the NAT rule/s are applied on the way out. So if the traffic is heading out the PIA OpenVPN link, then only rules for that interface are processed. So in your case, for most traffic, the NAT rules on WAN are not relevant, but you need them on PIA OpenVPN for traffic from any of your private subnets - LAN and Road Warrior tunnel network.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • 0
          0lek
          last edited by

          Phil,

          thanks for the explanation. I understand that:

          • Firewall rules determine through which interface packets "go out"

          • NAT rules are only followed for the interface in question - so their order doesn't really matter in that sense

          • If no gateway specified, then it goes out the default GW

          That's understood, however I still see a break in the logic. The default GW set is WAN (I just check to be super-secure), but all packets (unless otherwise specified) go out via PIA –> am I missing something?

          I can also post pics of my setup, if that should help.

          Thanks.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            I think PIA is pushing a default route to you.  The equivalent of you setting up your own remote access OpenVPN server and checking the "Redirect Gateway - Force all client generated traffic through the tunnel" option.  When you set route-nopull, you ignore routes pushed to you by the server so you can control what traffic gets routed out the VPN using policy routing.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • W
              Wolf666
              last edited by

              I normally set my custom option using "route-nopull" in order to get full control on clients and services to be routed via VPN.

              Modem Draytek Vigor 130
              pfSense 2.4 Supermicro A1SRi-2558 - 8GB ECC RAM - Intel S3500 SSD 80GB - M350 Case
              Switch Cisco SG350-10
              AP Netgear R7000 (Stock FW)
              HTPC Intel NUC5i3RYH
              NAS Synology DS1515+
              NAS Synology DS213+

              1 Reply Last reply Reply Quote 0
              • 0
                0lek
                last edited by

                Yeah, that's how much I understood of it as way.

                I just don't understand why that "default route" is nowhere to be seen in the GUI. That made it so much more harder to understand what's happening.

                Thanks for the explanation though

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.