outbound NAT for multi site vpn, all client traffic through server?

  • My intention is to setup a multi-site openVPN network, using TLS authentication with peer to peer. Furthermore all client traffic is routed through main VPN server network.

    pfSense boxes are at all locations running 2.4.4.

    I currently have the VPN tunnel operational and NAT rules on the client are configured to route all traffic through the VPN gateway. All parties can ping the server or client on opposite ends of the tunnel.

    The issue I am having is that the server network is not able to access machines on the client network. Firewall rules have been set to pass any/any on both sides of the tunnel, so i'm thinking this is an issue with how I've configured the NAT?

    The client network is however able to access machines on the server side.

    Any advice on how best to troubleshoot this issue? I've used pfSense for a while but i'm a noob when it comes to NAT and routing tables.

  • This post is deleted!

  • LAYER 8 Rebel Alliance

    You have conflicting Subnets or why do you use NAT anyway?
    Show your whole Setup/Firewall Rules (Screenshots).


  • I am using NAT on the client side to force traffic through VPN and prevent any failover to WAN in case of tunnel disconnect. The Topo and client config are below:

  • This post is deleted!

  • @Rico
    Reposted all the relevant info above, in a more palatable format. Let me know if you need anything else, or have any ideas what i'm doing wrong.

  • You have probably a design issue.
    There are two goals for your need

    1. A topology that all sites ip's need to communicate with each other.
    2. Internet access should only happen via the central site.

    Since you don't have ANY overlapping private ip networks, you should eliminate
    all natting for such targets in all pf instances.
    This will allow you to achieve goal 1.
    In more detail, on remote sites you don't need any nat whatsoever since you don't want access to the internet "accidentaly"

    Now for goal 2.
    You need to make manual nat on the central sites and also put rules in nat for all remote site ip ranges.
    Remember to assign an interface for openvpn, and policy route remote subnets via this.
    In essense, all traffic for vpn remotes will pass via vpn interface
    and the rest will reach your wan interface
    There it will be natted to the wan ip and enter the Internet

    Remember, nat settings take effect AFTER your traffic hits the relevant interface.

    Hope it helps

  • @netblues @Rico

    Thank you, I have partially resolved the issue such that clients on both sides of the tunnel can ping each other, so i just need to cleanup the NAT and firewall rules at this point.

    I think that I needed to add an iroute on the openvpn "client specific overrides" tab, for each of the clients. Basically I needed to tell openVPN which client has which routes. This step is not needed when dealing with /30 SSL or user/password based authentication, but is required for PKI SSL/TLS.

  • @piousgreek A lan to lan openvpn is different from a roaming client.
    And what pki ssl/tls has to do with routing anyway?

  • LAYER 8 Netgate

    Client-specific overrides are is required for SSL/TLS with a larger than /30 tunnel network when you have remote subnets/routes above and beyond the tunnel address for a Remote Access client.

    There is really no difference between a Remote Access server and a point-to-multipoint site-to site network other than different requirements for pushing routing and CSOs. They are the same OpenVPN server mode.

Log in to reply