how to outbound NAT an OpenVPN peer-to-peer network.



  • Disclaimer: this is a learning project for me, a virtual lab, so I'm still learning and I might be asking stupid questions, sorry for that.

    I'm having a hard time setting up this the way I want it to work.

    I have one vps that I want to use as the centralized VPN server, firewall, IDS, etc. between a series of other vps where some services are hosted and a series of clients that need access to those services.

    I have one WAN interface set to the only NIC on the VPS.
    I have two OpenVPN servers running which interfaces have been assigned to LAN and OPT1.

    so the end result is:

    WAN: Public IP
    LAN: 10.0.2.1
    OPT1: 10.0.3.1

    the OpenVPN server assigned on LAN is configured as an access server that redirects all client traffic, this is where I connect from to manage the pfsense box.

    the OpenVPN assigned on OPT1 is configured as a peer-to-peer server, it doesn't redirect all client traffic.

    both the other vps and the clients that need to access them connect to the OpenVPN server who's device I assigned to OPT1.

    All the hosts on network OPT1 (10.0.3.0/24) can reach each other. Given correct additions to the respective "local network" settings OPT1 net can also reach LAN net and viceversa as I expect them to.

    My problem is that outbound NAT from network OPT1 is not working as I expected it to, outbound NAT from network LAN is.

    the automatic outbound NAT rules do correctly list all LAN and OPT1 networks, so this should work unless I'm missing something, but it does only for the clients that have their traffic automatically redirected through the tunnel, it doesn't for clients that do not receive that pushed instruction.

    what am I doing wrong?
    on the clients connected to OPT1 I get this route:

    $ route
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    default gateway 0.0.0.0 UG 0 0 0 eth0
    10.0.2.0 10.0.3.1 255.255.255.0 UG 0 0 0 tun0
    10.0.3.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
    Client-gateway 0.0.0.0 255.255.255.192 U 0 0 0 eth0
    link-local 0.0.0.0 255.255.0.0 U 1002 0 0 eth0

    and although the default gateway is to use the client native gateway IP address I should be able to do something like

    $ping -I tun0 www.google.com

    or

    $ mtr -a 10.0.3.2 www.google.com

    and reach out the internet (using pfsense DNS, which I do push on both OpenVPN servers to their clients) because of the outbound NAT, shouldn't I?

    because I don't, and those command just hang until they timeout with no packets being received, only sent.

    I need some services on the other vps servers to use their IPs and other services to bind to the VPN IP and still be able to reach the internet through pfsense and not just reach each others. but without forcing those machines default gateway to be their VPN tunnels.

    I do not have other pfsense boxes but only other vps with different linux distros on them (centos and ubuntu), this should still be doable the way I understand it, I don't know why it isn't.