Why do I need Outbound NAT to go over VPN?
-
I have a site to site OpenVPN setup, partially like described here:
https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_OpenVPN-connection_in_PfSense_2.1
Besides there is a VPS with OpenVPN server on it
OpenVPN server ip on VPS is 10.4.0.1.
OpenVPN client IP is 10.4.0.5 - this is pfSense client
Both are 10.4.0.0/24
Net behind the pfSense with OpenVPN client is 192.168.5.0/24Now, there is another pfSense box with identical setup, which pfSense subnet is 192.168.15.0/24
Let's say, I ping from 192.168.5.100 to 192.168.15.1, it comes as 192.168.5.100 => 10.4.0.5 =====> 10.4.0.1 =====> 10.4.0.15 => 192.168.15.1
If I tcpdump on VPS, it shows that pinging from 10.4.0.5 and I get reply back. And it is Ok, since there is an outbound NAT, 192.168.5.100 => 10.4.0.5
If I disable otbound NAT, I see ping on VPS, from 192.168.5.100 => 192.168.15.1 but no reply back.
1.
As much as I understand the only reason Outbound NAT in place there is to find a return route to 192.168.5.1? Is there a way to overcome it?
Both, 192.168.5.0/24 and 192.168.15.0/24 are exposed in OpenVPN via iroute. And there is a corresponding route in server's openvpn.confHere are relevant routes on VPS (OpenVPN Server):
10.4.0.0/24 dev tun1 proto kernel scope link src 10.4.0.1
192.168.5.0/24 via 10.4.0.1 dev tun1
192.168.15.0/24 via 10.4.0.1 dev tun12. Is there a way for a pfSense, to go to VPS services, listening on 10.4.0.1 without outbound NAT? I have no problem accessing it (Server tun IP) with outbound NAT disabled.
But I need to keep Outbound NAT for #1, to access nets beyond the OVPN VPS
I cannot just add another VPN server-client for that. Let's if I add one, VPS OVPN, 10.5.0.1.
Than, if I add return route/iroute back to 192.168.5.0/24 it won't be added. Why? There is already route on server to 192.168.5.0/24 via 10.4.0.0/24 and 192.168.5.0/24 won't pass:/sbin/ip route add 192.168.5.0/24 via 10.5.0.1
RTNETLINK answers: File exists.Obviously, this is a duplicate route
The reason is, I am planning to move SIP Telephones to go over VPN with no NAT involved. Since all parts of private subnet are routable. Ideally, I can manage #1 and #2 so NAT is not needed at all
-
You don't need or want NAT. Both LANs on either side of the OpenVPN instance need to have routes to each other.
You need to push a route for 192.168.15.0/24 to the 192.168.5.0/24 site and push a route for 192.168.5.0/24 to the 192.168.15.0/24 site.
Firewall rules on both sites OpenVPN tabs (or assigned interfaces) have to pass incoming connections from the desired sources.
-
Indeed, it worked.
Starting with tutorial's rules, remote pfSense had OVN net access (10.4.0.0/24). While not for source machine which IP became non-masqueraded by NAT.
Adding source net 192.168.5.0/24 rule made everything working, which makes sense.
Time to clean up the rules and get rid of manual Outbound NAT. Especially, since pfSense 2.2 aliases made things way cleaner.
Thanks a lot!