NAT through openvpn tunnel
-
I presume your sites B pfSense has a WAN gateway defined.
So if you forward packets from site A over VPN, response packets from B will be directed to the WAN gateway, since this is the default route.I'm preparing a move from location A to location B, that's why I would like to pass some traffic through the tunnel.
So it will be okay to change the default route to the VPN server, I think. This can be done by checking "Redirect Gateway" in the OpenVPN server settings at site A.
If you do that ensure, that you have an outbound NAT rule at site B to translate source IPs to interface IP on OpenVPN interface.If you don't want to route the whole upstream traffic over VPN from B, you can either route back the traffic to A or do NAT. But I think, routing will not be an option, since you're not able to differ which destinations to be route over VPN.
To NAT, just add an outbound NAT rule at site A for OpenVPN interface with destination = the subnets at B and tranlation = interface address. But with that, any access that comes over VPN seems to come from the VPN server itself and you have no availability to determine the origin source address at site B.
I know this an old post and I apologize for replying in it, but was hoping you could help a little more on this…
I have the exact same setup. I am doing this for a mail server, so I must know the origin source from site A.
Is this possible? Right now it's showing everything is coming from my VPN server address.
-
I have the exact same setup. I am doing this for a mail server, so I must know the origin source from site A.
Is this possible? Right now it's showing everything is coming from my VPN server address.
And like wessel you have forwarded internet traffic from A to a server behind B and also want to access it from other devices in A LAN network?
And B has also its own upstream gateway? -
I have the exact same setup. I am doing this for a mail server, so I must know the origin source from site A.
Is this possible? Right now it's showing everything is coming from my VPN server address.
And like wessel you have forwarded internet traffic from A to a server behind B and also want to access it from other devices in A LAN network?
And B has also its own upstream gateway?On site A I have:
Firewall NAT–> B.
Outbound Mappings (2 of them):
Interface: OpenVPN
Destination: 10.99.0.0 (B Network)
Nat Address: OpenVPN AddressInterface: WAN
Source: 10.99.0.0 (B Network)
Nat Address: Interface AddressThen on site B I have:
Default Gateway Set for VPNThis all works, but anything coming from site A to 10.99.. shows from my VPN address (192.168..)
-
Deactivate or delete the first one of the outbound NAT rules you've listed.
What was the reason for adding that rule? Since the S2S VPN is the default gateway on B you won't need it.
Ensure that the vpn routes are set correctly (Local network, Remote network). -
Deactivate or delete the first one of the outbound NAT rules you've listed.
What was the reason for adding that rule? Since the S2S VPN is the default gateway on B you won't need it.
Ensure that the vpn routes are set correctly (Local network, Remote network).When I remove the first Outbound rule, then it doesn't work at all.
I think I may have this really mixed up… I'm re-looking at your original answer...
@viragomann:So it will be okay to change the default route to the VPN server, I think. This can be done by checking "Redirect Gateway" in the OpenVPN server settings at site A.
If you do that ensure, that you have an outbound NAT rule at site B to translate source IPs to interface IP on OpenVPN interface.From looking at that response, it appears I should have default gateway set for VPN on Site A's network (Not Site B's).
And then the outbound NAT Rule would be on Site B.Again, I am trying to forward incoming connection from Site A to Site B.
So would this be correct? I have the Default Gateway set for the VPN on Site B (Not site A). And I have the Outbound Rule on Site A (Not Site B)…
-
When I remove the first Outbound rule, then it doesn't work at all.
What exactly??
A LAN > B LAN
Internet > A WAN > B LAN
both?If your routes are set well and B uses the VPN as defautlt gateway, there is no need for natting between A and B. You only need an additional outbound NAT rule at A WAN for the B sites LAN, only for upstream connections.
-
When I remove the first Outbound rule, then it doesn't work at all.
What exactly??
A LAN > B LAN
Internet > A WAN > B LAN
both?If your routes are set well and B uses the VPN as defautlt gateway, there is no need for natting between A and B. You only need an additional outbound NAT rule at A WAN for the B sites LAN, only for upstream connections.
NAT A -> B is what doesn't work.
Both A & B can get out fine. But incoming connections from site A won't go to site B. When I add back in that top outbound route, it works, but all traffic coming from A -> B shows as my VPN IP instead of the actual address of who's coming in.
-
https://forum.pfsense.org/index.php?topic=82732.msg453269#msg453269
Pay close attention to assigning an interface on the destination server side and that the rules passing the traffic there cannot match on the OpenVPN group tab but must match on the assigned interface tab instead.
-
https://forum.pfsense.org/index.php?topic=82732.msg453269#msg453269
Pay close attention to assigning an interface on the destination server side and that the rules passing the traffic there cannot match on the OpenVPN group tab but must match on the assigned interface tab instead.
Derelict: I have made sure I don't have allow all on both OPT1 and OpenVPN tab. Still have same issue. Anything coming in from site A to site B show as my OpenVPN server's IP instead of coming from true IP of Client on WAN side.
:(
-
Then you are still performing NAT there. Turn that off.
-
Ok! Got it working finally!
Thank you both for your help! I tried to give thanks to both, but system wouldn't let me :( Can only give thanks to one of you :(
Ok, so it turns out you were both right. I needed the firewall setup for the opt1 and not the OpenVPN. This was part of the fix.
The other part of the fix was removing the first Outbound rule as suggested by viragomann. When I tested this before, it wasn't working…. Come to find out, it doesn't work if I telnet from A to B back to A. I had to test it from an outside source and it worked. I was thinking it was broken because i couldn't telnet into it from A's pfSense box... pfSense doesn't like going out from A to B and back to A for some reason, but I'm ok with this!
I'm just VERY thankful it works and wanted to say thank you to the both of you!!!!!
-
Ok! Got it working finally!
Thank you both for your help! I tried to give thanks to both, but system wouldn't let me :( Can only give thanks to one of you :(
Ok, so it turns out you were both right. I needed the firewall setup for the opt1 and not the OpenVPN. This was part of the fix.
The other part of the fix was removing the first Outbound rule as suggested by viragomann. When I tested this before, it wasn't working…. Come to find out, it doesn't work if I telnet from A to B back to A. I had to test it from an outside source and it worked. I was thinking it was broken because i couldn't telnet into it from A's pfSense box... pfSense doesn't like going out from A to B and back to A for some reason, but I'm ok with this!
I'm just VERY thankful it works and wanted to say thank you to the both of you!!!!!
I have the exact same setup as you and also facing the issue of removing the First Outbound rule from site A, the NAT stops working.
I can live with all my traffic showing as coming from the VPN but wanted to know how did you achieve the clean NAT from Site A to site B without the first outbound rule on the VPN interface
Cheers
-
Then you are still performing NAT there. Turn that off.
Would you be able to explain?
Thank you
-
B bartounet16000 referenced this topic on Aug 21, 2022, 2:16 PM