Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Route traffic instead of doing an "Outbound NAT"

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 2 Posters 828 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      maxammann
      last edited by

      Hello,
      I've setup a OpenVPN server and client. The VPN works but I also want access to the LAN behind the client.

      SITE0:
      OpenVPN server:
      Tunnel Network: 10.0.0.1/24
      Custom Options: "route 192.168.1.0 255.255.255.0;route 192.168.0.0 255.255.255.0;"

      Client-Specific-Overrides for the client:
      IPv4 Remote Network: 192.168.1.0/24
      Custom Options: "ifconfig-push 10.0.0.10 10.0.0.1"

      Firewall on VPN interface:
      (see attachment: "SITE0 Firewall VPN.png")

      SITE1:
      OpenVPN client, which has no advanced settings. It just connects to SITE0.

      Firewall on VPN interface:
      (see attachment: "SITE1 Firewall VPN.png")

      Firewall on LAN interface:
      (see attachment: "SITE1 Firewall LAN.png")

      Now I can ping from SITE0:

      • 10.0.0.1 - which is the address of the VPN interface of SITE1

      • 192.168.1.1 - which is the address of the LAN interface of SITE1

      I can not ping from SITE0:

      • 192.168.1.15 - which is the address a device in the LAN network SITE0

      After adding an "Outbound NAT" on SITE0 I can ping 192.168.1.15.

      (see attachment: "SITE1 Outbound NAT.png")

      Why is this the case? I want to do it without NATing so the source address doesn't get changed. I also really want to understand what the Outbound NAT does and how it can work without it. What is blocking it?

      Things I tried for debugging to get it work without Outbound NAT:

      • I did a packet caputure on SITE1 on the VPN client interface - ICMP packets arrive but get no reply

      • I did a packet caputure on SITE1 on the LAN interface - No packets arrive

      • I watched pfInfo for blocked packages - No results

      ![SITE0 Firewall VPN.png](/public/imported_attachments/1/SITE0 Firewall VPN.png)
      ![SITE0 Firewall VPN.png_thumb](/public/imported_attachments/1/SITE0 Firewall VPN.png_thumb)
      ![SITE1 Firewall VPN.png](/public/imported_attachments/1/SITE1 Firewall VPN.png)
      ![SITE1 Firewall VPN.png_thumb](/public/imported_attachments/1/SITE1 Firewall VPN.png_thumb)
      ![SITE1 Firewall LAN.png](/public/imported_attachments/1/SITE1 Firewall LAN.png)
      ![SITE1 Firewall LAN.png_thumb](/public/imported_attachments/1/SITE1 Firewall LAN.png_thumb)
      ![SITE1 Outbound NAT.png](/public/imported_attachments/1/SITE1 Outbound NAT.png)
      ![SITE1 Outbound NAT.png_thumb](/public/imported_attachments/1/SITE1 Outbound NAT.png_thumb)

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Here is the thing… even if you can route your packet to a device behind your vpn client or even on the same network as the vpn client.

        That devices is NOT going to know how to get back to your network.. Since his default gateway for sure is not the vpn client connection.

        if you need to connect site 0 and 1 and or A and B together then you need to create a site to site vpn and do the correct routing between sites.

        If you want to get into some remote network that your vpn client has access to - you would need to source nat the traffic so that remote network thinks its coming from the vpn client.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • M
          maxammann
          last edited by

          But the SITE0 SITE1 does have routes to route back to the VPN client interface:

          default            192.168.2.1        UGS        igb0
10.0.0.0&0xa000001 10.0.0.1           UGS      ovpnc2
10.0.0.1           link#9             UH       ovpnc2
10.0.0.10          link#9             UHS         lo0
10.0.8.0           10.0.8.2           UGS      ovpns1
10.0.8.1           link#8             UHS         lo0
10.0.8.2           link#8             UH       ovpns1
localhost          link#7             UH          lo0
192.168.1.0        link#2             U          igb1
**********        link#2             UHS         lo0
192.168.2.0        link#1             U          igb0
192.168.2.132      link#1             UHS         lo0

          I think the 0.0.0.0/24 route should allow the routing back, right?

          EDIT: The 10.0.0.0&0xa000001 looks weird. It was /24. What is going on here?  :P
          EDIT: I did not assign the ovpnc2 or ovpns1 interfaces on SITE1 and SITE0.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Comes down to the IP behind the client your trying to talk too!!!

            you have this

            Box A –- vpnclient --- internet (vpn) ---- vpnserver --- Box B

            So while vpnclient knows how to get to Box Box B through its tunnel connection.  And box B knows can get to the vpnclient through its default route to pfsense, How does some Box A behind vpnclient know to talk to the vpnclient to get to Box B ip??

            If you want to connect 2 sites, then use a site 2 site vpn and setup the appropriate routing..

            Unless you nat the traffic so it looks like its coming from vpnclients IP on that network, box A will just send traffic to its default gateway - which is not vpnclient is it.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • M
              maxammann
              last edited by

              I'm not sure if I understood it now:

              I tried to ping 192.168.1.15 which is a host in a network of SITE0. That host has a route to the pfsense of SITE0 but does not know about the pfsense of SITE1. Therefore it can not route it back!

              Does that sound correct to you?

              In order to fix that I would need to add a route on 192.168.1.15 to route the packet to the pfsense of SITE0 which knows how to route it back to SITE1.

              1 Reply Last reply Reply Quote 0
              • M
                maxammann
                last edited by

                How would I setup a site-2-site vpn and the appropriate routing? Which routes are missing in my case? My packets already reach SITE0. And SITE0 knows how to route to SITE1.

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.