Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VIP 1:1 with OpenVPN - It's working, but is it correct?

    Scheduled Pinned Locked Moved NAT
    3 Posts 2 Posters 743 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      Guest
      last edited by

      Stil playing with my OpenVPN and trying to make it work with a VIP. I now have it working and all seems fine, but am I creating a problem I have not foreseen?

      So  this is what I have done :-

      OK, in the Virtual IP’s, pick an address and set that and the mask to /29 , and set the Interface to Localhost, not WAN, the type is IP Alias.

      On NAT, create a 1:1 rule for that external IP and set the Internal IP to 127.0.0.1

      On VPN, use the wizard as normal to create the VPN, then edit the resultant instance of the server and change the Interface to Localhost, save that.

      Now the VPN creation wizard will have created firewall rules, In the WAN rules section, find that  rule and set the destination to 127.0.0.1. save  that.

      Finally create a new WAN rule.

      Interface WAN,

      Address family IPV4 and protocol UDP.

      Source is ANY

      Destination  is the WAN VIP address you have selected and the port should be the same one that the VPN is set to, in my case 1195.

      If I disable any one of the above then it does not work.

      It works, but is it the best way?

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        @marjohn56:

        OK, in the Virtual IP’s, pick an address and set that and the mask to /29 , and set the Interface to Localhost, not WAN, the type is IP Alias.

        If it is a public IP which should be assigned to WAN it should hook on WAN interface not on localhost.

        @marjohn56:

        On NAT, create a 1:1 rule for that external IP and set the Internal IP to 127.0.0.1

        A NAT 1:1 to localhost?  :o
        Why that? You use the external address for a vpn server which is only awaiting incoming connections. It won't initiate any outgoing connection.
        So a simple forward-rule will do the job.

        @marjohn56:

        Now the VPN creation wizard will have created firewall rules, In the WAN rules section, find that  rule and set the destination to 127.0.0.1. save  that.

        This rule will have no sense. No incoming packet on WAN will try to access the localhost.

        1 Reply Last reply Reply Quote 0
        • ?
          Guest
          last edited by

          The primary address is assigned using a PPPoE connection, the other addresses are a block assigned on that subnet. If I setup OpenVPN on the primary, perfect, no issues. If I try and use one of the other addresses, they are VIP's then no go, won't work.

          Now, I have see other references to this issue on the forum where the solution is to use localhost, assign the VPN to that. Doing that alone still did not work, assigning the VIP to localhost AND assigning OpenVPN to that DOES work.

          OK, port forward works nicely, replaced the 1:1 rule with that.

          Edit: Port forward does NOT work, I obviously did not wait long enough for the rules to reload. Setting it back to 1:1 and removing the port forward it's working again.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.