Route traffic instead of doing an "Outbound NAT"

  • Hello,
    I've setup a OpenVPN server and client. The VPN works but I also want access to the LAN behind the client.

    OpenVPN server:
    Tunnel Network:
    Custom Options: "route;route;"

    Client-Specific-Overrides for the client:
    IPv4 Remote Network:
    Custom Options: "ifconfig-push"

    Firewall on VPN interface:
    (see attachment: "SITE0 Firewall VPN.png")

    OpenVPN client, which has no advanced settings. It just connects to SITE0.

    Firewall on VPN interface:
    (see attachment: "SITE1 Firewall VPN.png")

    Firewall on LAN interface:
    (see attachment: "SITE1 Firewall LAN.png")

    Now I can ping from SITE0:

    • - which is the address of the VPN interface of SITE1

    • - which is the address of the LAN interface of SITE1

    I can not ping from SITE0:

    • - which is the address a device in the LAN network SITE0

    After adding an "Outbound NAT" on SITE0 I can ping

    (see attachment: "SITE1 Outbound NAT.png")

    Why is this the case? I want to do it without NATing so the source address doesn't get changed. I also really want to understand what the Outbound NAT does and how it can work without it. What is blocking it?

    Things I tried for debugging to get it work without Outbound NAT:

    • I did a packet caputure on SITE1 on the VPN client interface - ICMP packets arrive but get no reply

    • I did a packet caputure on SITE1 on the LAN interface - No packets arrive

    • I watched pfInfo for blocked packages - No results

    ![SITE0 Firewall VPN.png](/public/imported_attachments/1/SITE0 Firewall VPN.png)
    ![SITE0 Firewall VPN.png_thumb](/public/imported_attachments/1/SITE0 Firewall VPN.png_thumb)
    ![SITE1 Firewall VPN.png](/public/imported_attachments/1/SITE1 Firewall VPN.png)
    ![SITE1 Firewall VPN.png_thumb](/public/imported_attachments/1/SITE1 Firewall VPN.png_thumb)
    ![SITE1 Firewall LAN.png](/public/imported_attachments/1/SITE1 Firewall LAN.png)
    ![SITE1 Firewall LAN.png_thumb](/public/imported_attachments/1/SITE1 Firewall LAN.png_thumb)
    ![SITE1 Outbound NAT.png](/public/imported_attachments/1/SITE1 Outbound NAT.png)
    ![SITE1 Outbound NAT.png_thumb](/public/imported_attachments/1/SITE1 Outbound NAT.png_thumb)

  • LAYER 8 Global Moderator

    Here is the thing… even if you can route your packet to a device behind your vpn client or even on the same network as the vpn client.

    That devices is NOT going to know how to get back to your network.. Since his default gateway for sure is not the vpn client connection.

    if you need to connect site 0 and 1 and or A and B together then you need to create a site to site vpn and do the correct routing between sites.

    If you want to get into some remote network that your vpn client has access to - you would need to source nat the traffic so that remote network thinks its coming from the vpn client.

  • But the SITE0 SITE1 does have routes to route back to the VPN client interface:

    default          UGS        igb0           UGS      ovpnc2           link#9             UH       ovpnc2          link#9             UHS         lo0            UGS      ovpns1           link#8             UHS         lo0           link#8             UH       ovpns1
    localhost          link#7             UH          lo0        link#2             U          igb1
    **********        link#2             UHS         lo0        link#1             U          igb0      link#1             UHS         lo0

    I think the route should allow the routing back, right?

    EDIT: The looks weird. It was /24. What is going on here?  :P
    EDIT: I did not assign the ovpnc2 or ovpns1 interfaces on SITE1 and SITE0.

  • LAYER 8 Global Moderator

    Comes down to the IP behind the client your trying to talk too!!!

    you have this

    Box A –- vpnclient --- internet (vpn) ---- vpnserver --- Box B

    So while vpnclient knows how to get to Box Box B through its tunnel connection.  And box B knows can get to the vpnclient through its default route to pfsense, How does some Box A behind vpnclient know to talk to the vpnclient to get to Box B ip??

    If you want to connect 2 sites, then use a site 2 site vpn and setup the appropriate routing..

    Unless you nat the traffic so it looks like its coming from vpnclients IP on that network, box A will just send traffic to its default gateway - which is not vpnclient is it.

  • I'm not sure if I understood it now:

    I tried to ping which is a host in a network of SITE0. That host has a route to the pfsense of SITE0 but does not know about the pfsense of SITE1. Therefore it can not route it back!

    Does that sound correct to you?

    In order to fix that I would need to add a route on to route the packet to the pfsense of SITE0 which knows how to route it back to SITE1.

  • How would I setup a site-2-site vpn and the appropriate routing? Which routes are missing in my case? My packets already reach SITE0. And SITE0 knows how to route to SITE1.

  • LAYER 8 Global Moderator

Log in to reply