NAT help for VPN tunnel to VPS

jbiss_ca

Hello,

I have a VPS server that is hosting a samba share (Windows share) that I'm connecting to via a VPN connect. My pfsense box is the client and the VPS server has a static IP of 10.8.0.1. See the picture for the current setup.

I can connect to the VPS through the VPN connection and according to the VPN Status page, everything up and working normally. I obtain a 10.8.0.X IP and doing ping tests from PfSense always works. I experience intermittent issues connecting to the shared drive and also pinging the VPS's internal IP of 10.8.0.1 from any of my LAN network devices, all on 192.168.1.0/24 network.

From a laptop,
C:\Users\User>tracert 10.8.0.1

Tracing route to 10.8.0.1 over a maximum of 30 hops

1    <1 ms    <1 ms    <1 ms  pfsense.internal.mydomain.local [192.168.1.3]
  2    49 ms    49 ms    49 ms  10.8.0.1

Is there something that I'm missing in regards to NAT'ing?

divsys

Sorry, but I'm not sure why you need the NAT at all.

Normally I'd expect your VPN setup to handle the assignment of routing through the tunnel.

What are you using for your VPN, IPSec, OpenVPN?

jbiss_ca

I'm using OpenVPN.

If I don't use any NAT rules then only the pfsense box itself can reach 10.8.0.1 as all other devices on the 192.168.1.0/24 network don't know how to reach the 10.8.0.1/32 and get sent out onto the internet.

The other people sharing the samba share on the VPS are all using tomato on their routers and in their OpenVPN settings, it's a checkbox for "Create NAT on tunnel" which I'm trying to create manually on pfsense.

I read through a few how-to's for configuring pfsense with an OpenVPN VPS but they are all for browsing the Internet through the VPN. I don't want to browse the internet, only access the samba share hosted on the VPS.

divsys

This sounds more like an OpenVPN problem than a NAT issue.

Normally you just add the remote subnet you want access to via the tunnel and the pfSense box sets up the routes automatically.

What does your pfSense OpenVPN client setup look like?

What version of pfSense are you running?

jbiss_ca

Attached is a OpenVPN client configuration page.

I'm running the latest pfsense, 2.2.4-RELEASE (amd64).

I didn't configure any remote subnet in the OpenVPN page, I think I'll give that a shot also. Thanks for the tip.

divsys

One thing that jumps out at me in your setup is the lack of an entry in "IPv4 Tunnel Network"

Usually that's the tunnel subnet set by the OpenVPN server (your VPS provider in this case).

I'm not sure how this is working if OpenVPN doesn't have a tunnel subnet to use to establish your connection.

Does the VPS provider supply a cheat sheet/howto for setting up OpenVPN with their service?

Edit: I'm going to suggest this thread be moved to the "OpenVPN" section

jbiss_ca

I have requested this thread be moved to the OpenVPN forum.

Without any tunnel subnet or remove network specific, these routes are created by default when I start the OpenVPN client connection.

IPv4
Destination Gateway Flags Use Mtu Netif Expire
10.8.0.1/32 10.8.0.13 UGS 4 1500 ovpnc3
10.8.0.13 link#13 UH 0 1500 ovpnc3
10.8.0.14 link#13 UHS 0 16384 lo0

As for the VPS, we've installed the OS and configured OpenVPN ourselves. I'm the only person having issues, everyone else is using the tomato firmware on their routers and using a checkbox for "Create NAT on tunnel". That's why I was under the impression I needed to create NAT rules myself.

divsys

Well if you've created the server side of OpenVPN, that means you have full control which is very good.

Without any tunnel subnet or remove network specific, these routes are created by default when I start the OpenVPN client connection.

Just looked through the current https://openvpn.net/index.php/open-source/documentation/howto.html and look at that, the tunnel specification is not a requirement. I always add it in mainly because it was a requirement in some past (10+ years ago) incarnations of OpenVPN I used and it part of my "checklist" (I'll have to revisit that….)

Can you post the config file from the server's OpenVPN setup?

That should show us what OpenVPN thinks it's supposed to do for you.  This shouldn't be too tough to setup at all if you have full control of both ends.

BTW what is the LAN subnet on the VPS side?

jbiss_ca

On our VPS server,

eth0 The public WAN IP
tun0 inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255

Here is the OpenVPN server's config:

/etc/openvpn$ cat server.conf

port 5060
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
duplicate-cn
keepalive 10 120
auth none
cipher BF-CBC        # Blowfish (default)
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
verb 3
mute 20

The part that's confusing me the most is that I'm the only one with issues.

divsys

So things are a little clearer to me now (I think).

You don't have separate LAN and Tunnel subnets in this case as the VPS is hosting both the  Samba shares and the OpenVPN server on the same box.

It's not a setup I've had to configure myself but I would add the OpenVPN tunnel subnet to your pfSense client:

Add 10.8.0.0/24 to the "IPv4 Tunnel Network" config box.

I'm thinking that this will create a "Route command" within pfSense that can be given to the devices on your LAN so they can find your Samba server.

jbiss_ca

Correct, everything is hosted on the same server.

I've added the route (OpenVPN creates the route for 10.8.0.1/32 automatically).

The strange issue that persists is the intermittent ping/availability of the samba share). I can try to ping 10.8.0.1 a few times in a row and sometime it will work and other times it wont. When it does work, I can leave that ping command go for a long time (I stopped it after 10 minutes) and it works the whole time yet if I retry right after stopping a working ping doesn't mean it will work again a few seconds after.

I have this rule under Firewall: Rules, OpenVPN tab AND the first image showing the NAT rule.
Proto Source Port Destination Port Gateway Queue Schedule Description
IPv4 * *      * *                 * *         none           OpenVPN OpenVPN wizard

Also, according the the OpenVPN logs and the Uptime indicated from the OpenVPN Status page, the OpenVPN tunnel is always up even when the ping command or the samba shares are temporarily not working

heper

remove the nat

jbiss_ca

Does OpenVPN automatically do the NAT'ing in the background?

Without the NAT rule, the pfsense box can talk to 10.8.0.1 on the VPS server however the server won't know how to reply to all other devices on my192.168.1.0/24 home network.

Please correct me if I'm wrong here but my understanding of the NAT is it allows the 192.168.1.0/24 to go out under whatever 10.8.0.X IP the OpenVPN server give me so the OpenVPN server thinks it's only talking to an 10.8.0.X IP and have no idea how to reach my internal 192.168.1.0/24 network.

divsys

You mentioned:

I'm the only person having issues, everyone else is using the tomato firmware on their routers

How many people are connecting simultaneously?

Any chance one (or more) of them has a LAN with a 192.168.1.0/24 subnet?

If two or more people connect via OpenVPN with the same external subnets, how does your VPS know which connection to use when routing a response to (for example) "192.168.1.12"?

It may be some work on your side, but can you try and change your LAN subnet to something other than 192.168.1.0/24 (say,192.168.101.0/24)?

Normally OpenVPN setups are pretty simple and reliable, the fact that you're getting intermittent traffic makes me suspicious there's a fundamental conflict going on.

jbiss_ca

We are 4 people connected simultaneously.

I've talked to two other people and we do have the same LAN with a 192.168.1.0/24 subnet.

The VPS doesn't know about any of our LAN networks. When we connect through OpenVPN, we are each assigned a separate 10.8.0.X IP. For example, I currently have 10.8.0.14.

I have been running the same pfsense server for a few years now always just doing upgrades and I've tried out a few configs in the past. I'm starting to wonder if there may be some NATing options that should be checked/unchecked from the Advanced Settings menu option within PfSense. I'm going to setup a few install of PfSense in a VM and compare with my current settings. I'm strongly leaning towards a NAT issue only because any test I do straight from the PfSense box always works but it always has it's own 10.8.0.X IP and not needing any NATing.

heper

@jbiss_ca:

Does OpenVPN automatically do the NAT'ing in the background?

it does, once you assign an interface to the openvpn instance (interface-type = none)

jbiss_ca

Just to do a quick recap, I'm not trying to access the Internet through the VPN on the VPS server. We have a VPS server running OpenVPN server and I want to have access to that samba shares hosted on that same server.

I've configured as I think heper meant. I don't see any automatically created NAT rules in the GUI though.

My pfsense machine can still ping the VPS at 10.8.0.1 however any of my other machines can't as shown in the picture. I tried to provide as much information as I thought would be usefull

jbiss_ca

Everything is now working, thank you very much divsys and heper for all the pointers.

For those looking for a similar setup, here's what I needed to do.

I needed to assign the OpenVPN client connection sto an interface, ex: OPT1 and set the Interface Type to none

Under Firewall: Rules -> OPT1 tab, add the appropriate. ex: pass all traffic

Under Firewall: NAT -> Outbound tab, select the interface used for the OpenVPN connection (ex: OPT1) and add the destination network (ex: 10.8.0.0/24)