NAT to VPN Local Address



  • Hi Guys,

    I'm trying to setup NAT to an Address reachable through OpenVPN.

    Site A is the VPN server and has Public IP 1.1.1.1, network 192.168.5.0/24 and Site B is VPN Client and public IP 2.2.2.2, network 192.168.10.0/24.

    Goal is to have NAT Rule at Site A to 192.168.10.33 in site B.

    Everything in the VPN enviroment works. Both Sites can communicate with each other and I've already done the Outbound NAT on site B related with that IP so the 192.168.10.33 reachs the Internet through Site A.

    On Site A I've created a simple rule, NAT port 80 from WAN Address to 192.168.10.33.

    I've tried creating outbound NAT on Site B also but I guess it was not correct.

    What am I missing?

    Thanks in advance



  • @rgomez:

    Both Sites can communicate with each other and I've already done the Outbound NAT on site B related with that IP so the 192.168.10.33 reachs the Internet through Site B.

    192.168.10.33 is on site B. Which Outbound rules?

    Will you route all upstream traffic from 192.168.10.33 over the vpn to access the internet over site A?



  • Yes that was a mistake, the Site B 192.168.10.33 is routed to the Internet on site A over VPN.

    Outbound rules are created on Site B to allow such communication from Alias containing 192.168.10.33, and it works as expected 192.168.10.33 has public IP from WAN on Site A and other 192.168.0.x has Internet from site B.

    Site A has only the PortForward NAT rule and respective Firewall rule also.



  • Have you set up a site-to-site OpenVPN server and have you assigned an interface to both the server and the client?



  • Yes that is done correctly (I guess) because the Host on site B is reaching Internet through Site A.



  • You should know this, cause this could solve your issue.

    Anyway, you can also get it to work if you add an outbound NAT rule to site A's OpenVPN interface translating source addresses to the interface address.
    But with this rule, the source IPs are masqueraded and the destination host cannot see the real source address.

    Also you've to ensure that upstream packets from 192.168.10.33 are translated to the WAN address on site A. So will also have to add an additional rule for WAN if it's not done automatically by pfSense.
    The outbound NAT rule for openVPN you've added to site B is unnecessary.



  • @viragomann:

    You should know this, cause this could solve your issue.

    Anyway, you can also get it to work if you add an outbound NAT rule to site A's OpenVPN interface translating source addresses to the interface address.
    But with this rule, the source IPs are masqueraded and the destination host cannot see the real source address.

    Also you've to ensure that upstream packets from 192.168.10.33 are translated to the WAN address on site A. So will also have to add an additional rule for WAN if it's not done automatically by pfSense.
    The outbound NAT rule for openVPN you've added to site B is unnecessary.

    Are you sure? Without NAT rule for OpenVPN how can I route upstream traffic from that host to Site's A WAN? If I disable it I start going to Site's B WAN instead of A.



  • I asked above which Outbound NAT rule you exactly have.
    I do not know any outbound NAT rule (source-NAT), which can direct traffic to another gateway. You may have a firewall rule with GW set in place (policy routing) to direct traffic from 192.168.10.33 over VPN.



  • @viragomann:

    I asked above which Outbound NAT rule you exactly have.
    I do not know any outbound NAT rule (source-NAT), which can direct traffic to another gateway. You may have a firewall rule with GW set in place (policy routing) to direct traffic from 192.168.10.33 over VPN.

    Yes you are correct and I'm sorry. I have a firewall rule on Site's B LAN Interface with the OPT1 GW selected. I'm so confused after trying everything I can think of.

    I've ran a few Packet Captures and could find the request is reaching the 192.168.10.33 through OPT1, problem is that the response is done through WAN interface of Site's B and not Site's A WAN. But if I get to the VM and do a traceroute and also a Public IP check I get the WAN Address at Site A.



  • I see. But the policy routing by the filter rule handles only upstream traffic. That means connections which are established by 192.168.10.33, not responses to requests from other host. As I know, request flows are controlled by the reply-to statements which depends on the interface settings. That's why I've asked if you've assigned interfaces to the VPN client and server.

    As a workaround I suggested to add an outbound NAT rule to site A's OpenVPN servers interface. This would translate packets source addresses to the OpenVPN servers address when they are sent over the vpn. So responses from 192.168.10.33 would be addressed back to the vpn server and would be directed to the pfSense on site B (default gateway). There the packets would be forwarded over the vpn to site A.
    In your case, the packets which are forwarded to 192.168.10.33 have public source addresses, so responses are sent out to the default gateway (WAN GW).



  • That solves the issue.

    But is there any way to this with a more proper setup?