Route traffic instead of doing an "Outbound NAT"



  • Hello,
    I've setup a OpenVPN server and client. The VPN works but I also want access to the LAN behind the client.

    SITE0:
    OpenVPN server:
    Tunnel Network: 10.0.0.1/24
    Custom Options: "route 192.168.1.0 255.255.255.0;route 192.168.0.0 255.255.255.0;"

    Client-Specific-Overrides for the client:
    IPv4 Remote Network: 192.168.1.0/24
    Custom Options: "ifconfig-push 10.0.0.10 10.0.0.1"

    Firewall on VPN interface:
    (see attachment: "SITE0 Firewall VPN.png")

    SITE1:
    OpenVPN client, which has no advanced settings. It just connects to SITE0.

    Firewall on VPN interface:
    (see attachment: "SITE1 Firewall VPN.png")

    Firewall on LAN interface:
    (see attachment: "SITE1 Firewall LAN.png")


    Now I can ping from SITE0:

    • 10.0.0.1 - which is the address of the VPN interface of SITE1

    • 192.168.1.1 - which is the address of the LAN interface of SITE1

    I can not ping from SITE0:

    • 192.168.1.15 - which is the address a device in the LAN network SITE0

    After adding an "Outbound NAT" on SITE0 I can ping 192.168.1.15.

    (see attachment: "SITE1 Outbound NAT.png")

    Why is this the case? I want to do it without NATing so the source address doesn't get changed. I also really want to understand what the Outbound NAT does and how it can work without it. What is blocking it?


    Things I tried for debugging to get it work without Outbound NAT:

    • I did a packet caputure on SITE1 on the VPN client interface - ICMP packets arrive but get no reply

    • I did a packet caputure on SITE1 on the LAN interface - No packets arrive

    • I watched pfInfo for blocked packages - No results

    ![SITE0 Firewall VPN.png](/public/imported_attachments/1/SITE0 Firewall VPN.png)
    ![SITE0 Firewall VPN.png_thumb](/public/imported_attachments/1/SITE0 Firewall VPN.png_thumb)
    ![SITE1 Firewall VPN.png](/public/imported_attachments/1/SITE1 Firewall VPN.png)
    ![SITE1 Firewall VPN.png_thumb](/public/imported_attachments/1/SITE1 Firewall VPN.png_thumb)
    ![SITE1 Firewall LAN.png](/public/imported_attachments/1/SITE1 Firewall LAN.png)
    ![SITE1 Firewall LAN.png_thumb](/public/imported_attachments/1/SITE1 Firewall LAN.png_thumb)
    ![SITE1 Outbound NAT.png](/public/imported_attachments/1/SITE1 Outbound NAT.png)
    ![SITE1 Outbound NAT.png_thumb](/public/imported_attachments/1/SITE1 Outbound NAT.png_thumb)


  • Rebel Alliance Global Moderator

    Here is the thing… even if you can route your packet to a device behind your vpn client or even on the same network as the vpn client.

    That devices is NOT going to know how to get back to your network.. Since his default gateway for sure is not the vpn client connection.

    if you need to connect site 0 and 1 and or A and B together then you need to create a site to site vpn and do the correct routing between sites.

    If you want to get into some remote network that your vpn client has access to - you would need to source nat the traffic so that remote network thinks its coming from the vpn client.



  • But the SITE0 SITE1 does have routes to route back to the VPN client interface:

    default            192.168.2.1        UGS        igb0
    10.0.0.0&0xa000001 10.0.0.1           UGS      ovpnc2
    10.0.0.1           link#9             UH       ovpnc2
    10.0.0.10          link#9             UHS         lo0
    10.0.8.0           10.0.8.2           UGS      ovpns1
    10.0.8.1           link#8             UHS         lo0
    10.0.8.2           link#8             UH       ovpns1
    localhost          link#7             UH          lo0
    192.168.1.0        link#2             U          igb1
    **********        link#2             UHS         lo0
    192.168.2.0        link#1             U          igb0
    192.168.2.132      link#1             UHS         lo0
    
    

    I think the 0.0.0.0/24 route should allow the routing back, right?

    EDIT: The 10.0.0.0&0xa000001 looks weird. It was /24. What is going on here?  :P
    EDIT: I did not assign the ovpnc2 or ovpns1 interfaces on SITE1 and SITE0.


  • Rebel Alliance Global Moderator

    Comes down to the IP behind the client your trying to talk too!!!

    you have this

    Box A –- vpnclient --- internet (vpn) ---- vpnserver --- Box B

    So while vpnclient knows how to get to Box Box B through its tunnel connection.  And box B knows can get to the vpnclient through its default route to pfsense, How does some Box A behind vpnclient know to talk to the vpnclient to get to Box B ip??

    If you want to connect 2 sites, then use a site 2 site vpn and setup the appropriate routing..

    Unless you nat the traffic so it looks like its coming from vpnclients IP on that network, box A will just send traffic to its default gateway - which is not vpnclient is it.



  • I'm not sure if I understood it now:

    I tried to ping 192.168.1.15 which is a host in a network of SITE0. That host has a route to the pfsense of SITE0 but does not know about the pfsense of SITE1. Therefore it can not route it back!

    Does that sound correct to you?

    In order to fix that I would need to add a route on 192.168.1.15 to route the packet to the pfsense of SITE0 which knows how to route it back to SITE1.



  • How would I setup a site-2-site vpn and the appropriate routing? Which routes are missing in my case? My packets already reach SITE0. And SITE0 knows how to route to SITE1.


  • Rebel Alliance Global Moderator


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy