NAT through OpenVPN? How to set up outbound NAT?



  • So diving deeper into the rabbit hole i now have two sites connected via OPENVPN and would like to NAT from SITE A to a device on Site B.

    SITE A: office.mydomain.com / 1.1.1.1 / 192.168.10.0
    SITE B: home.mydomain.com / 2.2.2.2 / 192.168.20.0

    Connected via an openvpn tunnel (192.168.70.0) with static routing set up so when i enter a Subnet IP of Site B on Site A it can be reached without issues and vica versa.

    I also have some NAT set up for some local cameras.
    So office.mydomain.com:8081 redirects to 192.168.10.81:80 (cameras ip) just fine. NATing via 1.1.1.1 to Site A devices works fine.

    Also i have a NAT 8089 to forward to 192.168.20.89:80. This works when at the office but not outside the LAN at Site A.

    What rule/foward do i do need to set up? I have tried "hybrid outbound nat" but apparently did not get the settings right.

    any help would be greatly appreciated.



  • Are both OpenVPN endpoints pfSense?
    Is it set up as a site-to-site connection?
    And are both the default gateways in the local networks?



  • Thanks for the reply. For some odd reason I just got the notification today?!

    Anyways unfortunately pfsense is only running on site A ...site B runs OpenWrt in the router/modem. They are connected with an OpenVpn Tunnel.

    Yes both are the default gateways for their respective locations.



  • @sgtpepperaut said in NAT through OpenVPN? How to set up outbound NAT?:

    Anyways unfortunately pfsense is only running on site A ...site B runs OpenWrt in the router/modem.

    The point here is that pfSense has the the reply-to function, which directs response packets back to the gateway where the requests came from. This function would be helpful at site B.

    Another way to get it work is by adding an outbound NAT rule on site A:
    interface: <that one you have assigned to the site-to-site VPN or even OpenVPN>
    Protocol: TCP (or what you need)
    source: any
    destination: 192.168.20.89, port: 80
    Translation address: Interface address

    However, with that rule in place there is no possibility to determine at the destination host the origin source IP of concerned connections.

    If you don't want that masquerading rule to be applied to connections from site A, copy that rule, and enter the site A LAN at source and check "Do not NAT". Then put the new rule above the other one.


Log in to reply