NAT OpenVPN Client Traffic
-
@soarin said in NAT OpenVPN Client Traffic:
Encryption would increase the latency and lower throughput, trying to make it similar to a GRE tunnel but something that's downloaded and ran as a client for ease of use to friends & other people who would be interested in home hosting but not the fear of an attack.
That logic is flawed, if a (game) server is public reachable it can be attacked, no matter how the traffic is routed to it.
-
So you have a road warrior that needs to get to your network. So you setup your server listing your network(s) as local right? Post up your vpn server setup..
If that is not setup then no they wouldn't know to come down the tunnel to get to your network. When they try and connect to your game server on say IP 192.168.1.100
And what is this 1.1.1.2 - your not trying to use public IP space you clearly do not own on your local network?
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
You are going to have to be much more detailed on what you are trying to do.
Where are the clients?
What/where is the server?
What home IPs are you trying to hide?
Is 1.1.1.2 a VPN endpoint? In that case it would be up to THAT side to route the reply traffic back out the tunnel it arrived on instead of out the default gateway.
Or you have to Outbound NAT that traffic to the OpenVPN tunnel address. In that case the server will lose the ability to see the actual source IP address.
-
@derelict Thank you for the response
The clients are anywhere in America, it's an OpenVPN Client I send to any friend who wants to home host without fear of being DDoSd.
The server will be ran on their computers or server machines along with the OpenVPN clientNo specific home IP, I suppose just my LAN network but I think a simple OpenVPN rule will do that for me.
1.1.1.2 is the IP of a client when they're connected on their computer, I port forwarded to 1.1.1.2 because that was my IP on the VPN.
-
@johnpoz
Thank you for the response!
The idea is to have the road warrior be able to run a public game/voice server on their computer and people who want to connect will use my WAN IP and it routes from my WAN -> Road Warrior's VPN IP on his computer (1.1.1.2 in this case), making it so he can run a server safely.
I do this with my GRE tunnels, that setup works if I Redirect Gateway but if I don't do that and set a game server to use my OpenVPN adapter it doesn't work.
Sorry if this is confusing, not quite sure how to explain it. I'll give any information requested
EDIT:
This is how I have it setup without redirect gateway and it doesn't work, I'd ideally like to have no redirect gateway so people don't forward anything other than game traffic.
-
When the "Road Warrior" receives a connection across the VPN that is forwarded from an arbitrary address the reply traffic will use the default gateway on that host - the target host - the road warrior host.
That is why it works when you use redirect gateway.
You either need to:
- Use a client that has routing special sauce like reply-to in pf.
- Assign an interface to the OpenVPN server and perform outbound NAT on that for the port-forwarded traffic. The server will lose the ability to see the client's real IP address but connections will appear to come from - and reply traffic will go to - the server's tunnel address instead of the arbitrary real address of the connecting host.
It has nothing to do with the OpenVPN server or client configuration.
Chattanooga, Tennessee, USA
A comprehensive network diagram is worth 10,000 words and 15 conference calls.
DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
Do Not Chat For Help! NO_WAN_EGRESS(TM) -
^ exactly... And Why and the F would you use a public IP range for your tunnel network? Come on... Makes ZERO sense!!!
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
And your tunnel network should not be defined as a local network too.
Neither 1.1.1.0/24 not 172.100.100.0/24 are available for use as private networks as far as the standards are concerned.
-
@johnpoz @Derelict Oh man, if you saw the horrors of other ranges and configurations I had setup trying to get this to work you would have to read a pfSense bible to try to forget what you would've seen.
I hardly understand pfSense but it was love at first sight.
-
@derelict Thank you for the insight, I'll try this now!
-
@soarin said in NAT OpenVPN Client Traffic:
@johnpoz @Derelict Oh man, if you saw the horrors of other ranges and configurations I had setup trying to get this to work you would have to read a pfSense bible to try to forget what you would've seen.
I still fail to see a valid reason to stray from RFC1918.
