NAT OpenVPN Client Traffic

johnpoz

So you have a road warrior that needs to get to your network. So you setup your server listing your network(s) as local right? Post up your vpn server setup..

If that is not setup then no they wouldn't know to come down the tunnel to get to your network. When they try and connect to your game server on say IP 192.168.1.100

And what is this 1.1.1.2 - your not trying to use public IP space you clearly do not own on your local network?

Derelict

You are going to have to be much more detailed on what you are trying to do.

Where are the clients?

What/where is the server?

What home IPs are you trying to hide?

Is 1.1.1.2 a VPN endpoint? In that case it would be up to THAT side to route the reply traffic back out the tunnel it arrived on instead of out the default gateway.

Or you have to Outbound NAT that traffic to the OpenVPN tunnel address. In that case the server will lose the ability to see the actual source IP address.

Soarin

@derelict Thank you for the response

The clients are anywhere in America, it's an OpenVPN Client I send to any friend who wants to home host without fear of being DDoSd.
The server will be ran on their computers or server machines along with the OpenVPN client

No specific home IP, I suppose just my LAN network but I think a simple OpenVPN rule will do that for me.

1.1.1.2 is the IP of a client when they're connected on their computer, I port forwarded to 1.1.1.2 because that was my IP on the VPN.

Soarin

@johnpoz
Thank you for the response!
The idea is to have the road warrior be able to run a public game/voice server on their computer and people who want to connect will use my WAN IP and it routes from my WAN -> Road Warrior's VPN IP on his computer (1.1.1.2 in this case), making it so he can run a server safely.
I do this with my GRE tunnels, that setup works if I Redirect Gateway but if I don't do that and set a game server to use my OpenVPN adapter it doesn't work.

Sorry if this is confusing, not quite sure how to explain it. I'll give any information requested

EDIT:
This is how I have it setup without redirect gateway and it doesn't work, I'd ideally like to have no redirect gateway so people don't forward anything other than game traffic.

Derelict

When the "Road Warrior" receives a connection across the VPN that is forwarded from an arbitrary address the reply traffic will use the default gateway on that host - the target host - the road warrior host.

That is why it works when you use redirect gateway.

You either need to:

1. Use a client that has routing special sauce like reply-to in pf.
2. Assign an interface to the OpenVPN server and perform outbound NAT on that for the port-forwarded traffic. The server will lose the ability to see the client's real IP address but connections will appear to come from - and reply traffic will go to - the server's tunnel address instead of the arbitrary real address of the connecting host.

It has nothing to do with the OpenVPN server or client configuration.

johnpoz

^ exactly... And Why and the F would you use a public IP range for your tunnel network? Come on... Makes ZERO sense!!!

Derelict

And your tunnel network should not be defined as a local network too.

Neither 1.1.1.0/24 not 172.100.100.0/24 are available for use as private networks as far as the standards are concerned.

Soarin

@johnpoz @Derelict Oh man, if you saw the horrors of other ranges and configurations I had setup trying to get this to work you would have to read a pfSense bible to try to forget what you would've seen.

Soarin

@derelict Thank you for the insight, I'll try this now!

Derelict

@soarin said in NAT OpenVPN Client Traffic:

@johnpoz @Derelict Oh man, if you saw the horrors of other ranges and configurations I had setup trying to get this to work you would have to read a pfSense bible to try to forget what you would've seen.

I still fail to see a valid reason to stray from RFC1918.