OpenVPN Client and NAT
-
Yes, this is the default GW.
Routing is enabled by default but the target system has no route backward to my network.
(see picture)
-
You need to tell the remote firewall to route the local client's network. pfSense does this in the VPN client setup web page, 'remote network(s)' I believe. Maybe the remote firewall has a 'custom options' thing like pfSense? Try 'route 192.168.5.0 255.255.255.0' or something like that. Good luck.
-
Unfortunatelly the routing setup on remote site is not possibe.
I think I need a Outbound NAT on PFSense, but I dont know how to set up withot interface.
-
A VPN server on a router without a routing option makes no sense.
Anyway, yes, you may solve it by NAT if there is no other way.
If you are running multiple OpenVPN instances on the pfSense, you have to assign an interface to that client first. To do so, go to Interfaces > Assign, at "available network port" select your client instance and click Add. Then open the interface setting, check enable and enter an appropriate name.
Natting:
Go to Firewall > NAT > Outbound
Ensure that the mode is set to hybrid or manual. Add a new rule:
Interface: the interface you've added above. If you haven't select OpenVPN
Source: any:
Destination: any
Translation: interface addressSince the VPN is only for that one connection there is no need to restrict source and destination.
-
In this case, I believe that the local pfSense should be pushing the route to 192.168.5.0/24 to the remote firewall to tell it to send the packets back. Try adding in the custom options section of the local pfSense push "route 192.168.5.0 255.255.255.0" to force your client instance to send that to the remote firewall? Although, I thought pfSense did that automatically…
-
You think a client can push a route to a server?
??? -
It will not :)
I try the NAT shortly… -
"You think a client can push a route to a server?" Right, whoops! :) Thanks for the correction.
-
A VPN server on a router without a routing option makes no sense.
Anyway, yes, you may solve it by NAT if there is no other way.
If you are running multiple OpenVPN instances on the pfSense, you have to assign an interface to that client first. To do so, go to Interfaces > Assign, at "available network port" select your client instance and click Add. Then open the interface setting, check enable and enter an appropriate name.
Natting:
Go to Firewall > NAT > Outbound
Ensure that the mode is set to hybrid or manual. Add a new rule:
Interface: the interface you've added above. If you haven't select OpenVPN
Source: any:
Destination: any
Translation: interface addressSince the VPN is only for that one connection there is no need to restrict source and destination.
Hello,
After this NAT the OVPN tunnel is stable because the local heartbeat traffic was works.
But the client cannot access the server yet. (see new attachements).The automatic routing transfer packets automatically in the tunnel. I can disbale this route in the client (Do not add/remove routes automatically) but in this case the packet was not in tunnel…
Maybe I should add a new gateway for OVPN tunnel and add static nat to OPVN interface?
(now the automatic route transfer packets to the OVPN interface's gateway).BR,
Istvan
-
Hello,
the gateway for the OpenVPN network is configured automatically when the connection is established. You should not add a gateway manually.
However, the "Routes in pfSense" shown in the drawing may be not correct. It has to pint to 192.168.177.125 like it is shown in the route line underneath.
The packet capture looks strange. I can't find in the drawing where the source IP 192.168.3.210 comes from. Besides that, with the NAT rule I suggested, the source IP has to be the OpenVPN clients IP 192.168.177.126 in the OpenVPN tunnel not matter what's the real source.
So I think, you deed something wrong.As mentioned, as long as you are running only one OpenVPN instance, there is no need to assign an interface to it. However, it won't be a drawback if you do that.
The OpenVPN interface is an interface group in the strict sense and includes all OpenVPN instances, regardless if its a client or a server.br
-
I have 2 ovpn server and one Client configured.
I updated the picture, because the route was misstyped.The ping from OVPN interface to Server is OK but when I ping from LAN interface, no response.
If I use Outbound NAT, it should be replace the source (ex. 192.168.3.1) IP address to the OVPN address (192.168.177.170) if I understan right.
-
As already mentioned, if you're running multiple OpenVPN instances you must assign an interface to the site-to-site client for enabling correct routing.
Also still not got, where the 192.168.3.1 comes from. It is shown in "ping from LAN interface", but in the drawing you LAN is 192.168.5.1.
-
Yes, correct I made a mistake in pic 192.168.5.5 -> 192.168.3.5 (this was the previous config, corrected it).
I already assigned ovpn client to a interface (name: CORBA)The routing is correct and the traffic is routed to the tunnel but the other end (server) has no route backward.
(because this is not a site-to-site VPN, just a client VPN config)This is why I need NAT. Outbound NAT configured.
-
The new network schema includes the same mistakes at the former. So still no clearness here.
Also I don't understand the meaning of the "Port test from pfSense". "Connect to the server on TCP 3389 from OpenVPN interface"???
Do you mean the one capture is taken on the OpenVPN interface and the other one on LAN?
If so, what was the real source IP? -
The client subent is 192.168.3.0/24. Now the test client IP is 192.168.3.210 (corrected on previous pic).
My test cases is the follow:1; ping from pfsense OVPN interface to server (192.168.177.170->192.168.143.9) -> success
2; ping from pfsense LAN interface to server (192.168.3.1->192.168.143.9) -> failed, no route backward
3; PORT test from pfsense OVPN interface to server (192.168.177.170->192.168.143.9:3389) -> success
4; PORT test from pfsense LAN interface to server (192.168.3.1->192.168.143.9:3389) -> failed5; ping from test client to server (192.168.3.210 -> 192.168.143.9) -> failed, the packet cature show this packets also
4; PORT test from test client to server (192.168.3.210 -> 192.168.143.9:3389) -> failed, the packet cature show this packets alsoI always made capture on pfsense OVPN interface.
-
It seems that your Outbound NAT rule is not working.
Please post the Outbound NAT page for verifying the settings.
-
Yes, it seems to be…
-
The Outbound NAT settings look fine, however, the rule seems not to be applied.
Ensure, that firewall is not disabled in System > Advanced > Firewall & NAT
Also please take the capture you've made before on the COBRA interface, to confirm that the packets are routed into the correct vpn tunnel.
-
All settings are default.
The NAT between the LAN-WAN (and OPT1) works as expected. (I use dual-WAN config and Gatewas groups).Packet capture was showd the packets with original addresses.
