OpenVPN Client and NAT



  • Hello,

    Our external partner’s resource accessible via OpenVPN connection. The config file is similar:
    remote xxx.xxx.xx.xxx
    port xxxx
    dev tun
    ifconfig 192.168.177.126 192.168.177.125
    secret vpn.key
    route 192.168.143.0 255.255.255.0 192.168.177.125

    The remote server address is 192.168.143.9, I need to access only this computer from many clienst.

    I would like to use PFSense server as a client and reach the server across pfsense.

    The client configuration is success and the VPN was connected successfully. When I start ping from ovpn adapter the response is ok. When I start ping from LAN no response.

    The pfsense use routing between networks and the remote server has no routing backward.
    How can I access the server from clients?  (NAT – but how?)

    Thanks,
    Istvan



  • Is the pfSense which is running the vpn client the default gateway in your LAN?

    If it isn't you need a static route for the remote host to it.
    But the better solution is to spawn a transit network between the default gateway and pfSense.



  • Yes, this is the default GW.
    Routing is enabled by default but the target system has no route backward to my network.
    (see picture)




  • You need to tell the remote firewall to route the local client's network. pfSense does this in the VPN client setup web page, 'remote network(s)' I believe. Maybe the remote firewall has a 'custom options' thing like pfSense? Try 'route 192.168.5.0 255.255.255.0' or something like that. Good luck.



  • Unfortunatelly the routing setup on remote site is not possibe.

    I think I need a Outbound NAT on PFSense, but I dont know how to set up withot interface.



  • A VPN server on a router without a routing option makes no sense.

    Anyway, yes, you may solve it by NAT if there is no other way.

    If you are running multiple OpenVPN instances on the pfSense, you have to assign an interface to that client first. To do so, go to Interfaces > Assign, at "available network port" select your client instance and click Add. Then open the interface setting, check enable and enter an appropriate name.

    Natting:
    Go to Firewall > NAT > Outbound
    Ensure that the mode is set to hybrid or manual. Add a new rule:
    Interface: the interface you've added above. If you haven't select OpenVPN
    Source: any:
    Destination: any
    Translation: interface address

    Since the VPN is only for that one connection there is no need to restrict source and destination.



  • In this case, I believe that the local pfSense should be pushing the route to 192.168.5.0/24 to the remote firewall to tell it to send the packets back. Try adding in the custom options section of the local pfSense push "route 192.168.5.0 255.255.255.0" to force your client instance to send that to the remote firewall? Although, I thought pfSense did that automatically…



  • You think a client can push a route to a server?
    ???



  • It will not :)
    I try the NAT shortly…



  • "You think a client can push a route to a server?" Right, whoops!  :) Thanks for the correction.



  • @viragomann:

    A VPN server on a router without a routing option makes no sense.

    Anyway, yes, you may solve it by NAT if there is no other way.

    If you are running multiple OpenVPN instances on the pfSense, you have to assign an interface to that client first. To do so, go to Interfaces > Assign, at "available network port" select your client instance and click Add. Then open the interface setting, check enable and enter an appropriate name.

    Natting:
    Go to Firewall > NAT > Outbound
    Ensure that the mode is set to hybrid or manual. Add a new rule:
    Interface: the interface you've added above. If you haven't select OpenVPN
    Source: any:
    Destination: any
    Translation: interface address

    Since the VPN is only for that one connection there is no need to restrict source and destination.

    Hello,

    After this NAT the OVPN tunnel is stable because the local heartbeat traffic was works.
    But the client cannot access the server yet. (see new attachements).

    The automatic routing transfer packets automatically in the tunnel. I can disbale this route in the client (Do not add/remove  routes automatically) but in this case the packet was not in tunnel…
    Maybe I should add a new gateway for OVPN tunnel and add static nat to OPVN interface?
    (now the automatic route transfer packets to the OVPN interface's gateway).

    BR,
    Istvan




  • Hello,

    the gateway for the OpenVPN network is configured automatically when the connection is established. You should not add a gateway manually.

    However, the "Routes in pfSense" shown in the drawing may be not correct. It has to pint to 192.168.177.125 like it is shown in the route line underneath.

    The packet capture looks strange. I can't find in the drawing where the source IP 192.168.3.210 comes from. Besides that, with the NAT rule I suggested, the source IP has to be the OpenVPN clients IP 192.168.177.126 in the OpenVPN tunnel not matter what's the real source.
    So I think, you deed something wrong.

    As mentioned, as long as you are running only one OpenVPN instance, there is no need to assign an interface to it. However, it won't be a drawback if you do that.
    The OpenVPN interface is an interface group in the strict sense and includes all OpenVPN instances, regardless if its a client or a server.

    br



  • I have 2 ovpn server and one Client configured.
    I updated the picture, because the route was misstyped.

    The ping from OVPN interface to Server is OK but when I ping from LAN interface, no response.

    If I use Outbound NAT, it should be replace the source (ex. 192.168.3.1) IP address to the OVPN address (192.168.177.170) if I understan right.



  • As already mentioned, if you're running multiple OpenVPN instances you must assign an interface to the site-to-site client for enabling correct routing.

    Also still not got, where the 192.168.3.1 comes from. It is shown in "ping from LAN interface", but in the drawing you LAN is 192.168.5.1.



  • Yes, correct I made a mistake in pic 192.168.5.5 -> 192.168.3.5 (this was the previous config, corrected it).
    I already assigned ovpn client to a interface (name: CORBA)

    The routing is correct and the traffic is routed to the tunnel but the other end (server) has no route backward.
    (because this is not a site-to-site VPN, just a client VPN config)

    This is why I need NAT. Outbound NAT configured.






  • The new network schema includes the same mistakes at the former. So still no clearness here.

    Also I don't understand the meaning of the "Port test from pfSense". "Connect to the server on TCP 3389 from OpenVPN interface"???
    Do you mean the one capture is taken on the OpenVPN interface and the other one on LAN?
    If so, what was the real source IP?



  • The client subent is 192.168.3.0/24. Now the test client IP is 192.168.3.210 (corrected on previous pic).
    My test cases is the follow:

    1; ping from pfsense OVPN interface to server (192.168.177.170->192.168.143.9) -> success
    2; ping from pfsense LAN interface to server (192.168.3.1->192.168.143.9) -> failed, no route backward
    3; PORT test from pfsense OVPN interface to server (192.168.177.170->192.168.143.9:3389) -> success
    4; PORT test from pfsense LAN interface to server (192.168.3.1->192.168.143.9:3389) -> failed

    5; ping from test client to server (192.168.3.210 -> 192.168.143.9) -> failed, the packet cature show this packets also
    4; PORT test from test client to server (192.168.3.210 -> 192.168.143.9:3389) -> failed, the packet cature show this packets also

    I always made capture on pfsense OVPN interface.



  • It seems that your Outbound NAT rule is not working.

    Please post the Outbound NAT page for verifying the settings.



  • Yes, it seems to be…




  • The Outbound NAT settings look fine, however, the rule seems not to be applied.

    Ensure, that firewall is not disabled in System > Advanced > Firewall & NAT

    Also please take the capture you've made before on the COBRA interface, to confirm that the packets are routed into the correct vpn tunnel.



  • All settings are default.
    The NAT between the LAN-WAN (and OPT1) works as expected. (I use dual-WAN config and Gatewas groups).

    Packet capture was showd the packets with original addresses.