NAT OpenVPN Client Traffic



  • Hello! I was wondering if there's a guide anywhere to port forwarding through OpenVPN.

    I've got a setup, a typical OpenVPN setup with no encryption and redirect gateway, I can port forward my test game server through it no problem but if I turn off redirect gateway, I can no longer port forward my game server.
    I assinged my game server to use my OpenVPN IP (inside the server config) and I see traffic pop up in the OpenVPN, but I can't allow traffic into it with the same port forward rule.

    alt text

    Thank you in advance


  • Rebel Alliance Global Moderator

    Huh? Openvpn with no encryption sure and hell is not typical.

    Are your running a openvpn server, or you have a openvpn client setup on pfsense to some vpn service?

    Redirect to 1.1.1.2??? Really? Makes no sense..



  • I'm trying to -make it so people can download my VPN client and route their game server traffic through it to hide their home IP. Is there a way this can be done? It works fine with Redirect Gateway on, but without it on it won't work.

    Encryption would increase the latency and lower throughput, trying to make it similar to a GRE tunnel but something that's downloaded and ran as a client for ease of use to friends & other people who would be interested in home hosting but not the fear of an attack.



  • @soarin said in NAT OpenVPN Client Traffic:

    Encryption would increase the latency and lower throughput, trying to make it similar to a GRE tunnel but something that's downloaded and ran as a client for ease of use to friends & other people who would be interested in home hosting but not the fear of an attack.

    That logic is flawed, if a (game) server is public reachable it can be attacked, no matter how the traffic is routed to it.


  • Rebel Alliance Global Moderator

    So you have a road warrior that needs to get to your network. So you setup your server listing your network(s) as local right? Post up your vpn server setup..

    0_1535278602625_localnetworks.png

    If that is not setup then no they wouldn't know to come down the tunnel to get to your network. When they try and connect to your game server on say IP 192.168.1.100

    And what is this 1.1.1.2 - your not trying to use public IP space you clearly do not own on your local network?


  • Netgate

    You are going to have to be much more detailed on what you are trying to do.

    Where are the clients?

    What/where is the server?

    What home IPs are you trying to hide?

    Is 1.1.1.2 a VPN endpoint? In that case it would be up to THAT side to route the reply traffic back out the tunnel it arrived on instead of out the default gateway.

    Or you have to Outbound NAT that traffic to the OpenVPN tunnel address. In that case the server will lose the ability to see the actual source IP address.



  • @derelict Thank you for the response

    The clients are anywhere in America, it's an OpenVPN Client I send to any friend who wants to home host without fear of being DDoSd.
    The server will be ran on their computers or server machines along with the OpenVPN client

    No specific home IP, I suppose just my LAN network but I think a simple OpenVPN rule will do that for me.

    1.1.1.2 is the IP of a client when they're connected on their computer, I port forwarded to 1.1.1.2 because that was my IP on the VPN.



  • @johnpoz
    Thank you for the response!
    The idea is to have the road warrior be able to run a public game/voice server on their computer and people who want to connect will use my WAN IP and it routes from my WAN -> Road Warrior's VPN IP on his computer (1.1.1.2 in this case), making it so he can run a server safely.
    I do this with my GRE tunnels, that setup works if I Redirect Gateway but if I don't do that and set a game server to use my OpenVPN adapter it doesn't work.

    alt text
    alt text
    alt text
    alt text

    Sorry if this is confusing, not quite sure how to explain it. I'll give any information requested

    EDIT:
    This is how I have it setup without redirect gateway and it doesn't work, I'd ideally like to have no redirect gateway so people don't forward anything other than game traffic.
    alt text


  • Netgate

    When the "Road Warrior" receives a connection across the VPN that is forwarded from an arbitrary address the reply traffic will use the default gateway on that host - the target host - the road warrior host.

    That is why it works when you use redirect gateway.

    You either need to:

    1. Use a client that has routing special sauce like reply-to in pf.
    2. Assign an interface to the OpenVPN server and perform outbound NAT on that for the port-forwarded traffic. The server will lose the ability to see the client's real IP address but connections will appear to come from - and reply traffic will go to - the server's tunnel address instead of the arbitrary real address of the connecting host.

    It has nothing to do with the OpenVPN server or client configuration.


  • Rebel Alliance Global Moderator

    ^ exactly... And Why and the F would you use a public IP range for your tunnel network? Come on... Makes ZERO sense!!!


  • Netgate

    And your tunnel network should not be defined as a local network too.

    Neither 1.1.1.0/24 not 172.100.100.0/24 are available for use as private networks as far as the standards are concerned.



  • @johnpoz @Derelict Oh man, if you saw the horrors of other ranges and configurations I had setup trying to get this to work you would have to read a pfSense bible to try to forget what you would've seen.



  • @derelict Thank you for the insight, I'll try this now!


  • Netgate

    @soarin said in NAT OpenVPN Client Traffic:

    @johnpoz @Derelict Oh man, if you saw the horrors of other ranges and configurations I had setup trying to get this to work you would have to read a pfSense bible to try to forget what you would've seen.

    I still fail to see a valid reason to stray from RFC1918.