Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    how to outbound NAT an OpenVPN peer-to-peer network.

    Scheduled Pinned Locked Moved OpenVPN
    vpnnatpeer-to-peer
    1 Posts 1 Posters 571 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nuclearstrength
      last edited by nuclearstrength

      Disclaimer: this is a learning project for me, a virtual lab, so I'm still learning and I might be asking stupid questions, sorry for that.

      I'm having a hard time setting up this the way I want it to work.

      I have one vps that I want to use as the centralized VPN server, firewall, IDS, etc. between a series of other vps where some services are hosted and a series of clients that need access to those services.

      I have one WAN interface set to the only NIC on the VPS.
      I have two OpenVPN servers running which interfaces have been assigned to LAN and OPT1.

      so the end result is:

      WAN: Public IP
      LAN: 10.0.2.1
      OPT1: 10.0.3.1

      the OpenVPN server assigned on LAN is configured as an access server that redirects all client traffic, this is where I connect from to manage the pfsense box.

      the OpenVPN assigned on OPT1 is configured as a peer-to-peer server, it doesn't redirect all client traffic.

      both the other vps and the clients that need to access them connect to the OpenVPN server who's device I assigned to OPT1.

      All the hosts on network OPT1 (10.0.3.0/24) can reach each other. Given correct additions to the respective "local network" settings OPT1 net can also reach LAN net and viceversa as I expect them to.

      My problem is that outbound NAT from network OPT1 is not working as I expected it to, outbound NAT from network LAN is.

      the automatic outbound NAT rules do correctly list all LAN and OPT1 networks, so this should work unless I'm missing something, but it does only for the clients that have their traffic automatically redirected through the tunnel, it doesn't for clients that do not receive that pushed instruction.

      what am I doing wrong?
      on the clients connected to OPT1 I get this route:

      $ route
      Kernel IP routing table
      Destination Gateway Genmask Flags Metric Ref Use Iface
      default gateway 0.0.0.0 UG 0 0 0 eth0
      10.0.2.0 10.0.3.1 255.255.255.0 UG 0 0 0 tun0
      10.0.3.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
      Client-gateway 0.0.0.0 255.255.255.192 U 0 0 0 eth0
      link-local 0.0.0.0 255.255.0.0 U 1002 0 0 eth0

      and although the default gateway is to use the client native gateway IP address I should be able to do something like

      $ping -I tun0 www.google.com

      or

      $ mtr -a 10.0.3.2 www.google.com

      and reach out the internet (using pfsense DNS, which I do push on both OpenVPN servers to their clients) because of the outbound NAT, shouldn't I?

      because I don't, and those command just hang until they timeout with no packets being received, only sent.

      I need some services on the other vps servers to use their IPs and other services to bind to the VPN IP and still be able to reach the internet through pfsense and not just reach each others. but without forcing those machines default gateway to be their VPN tunnels.

      I do not have other pfsense boxes but only other vps with different linux distros on them (centos and ubuntu), this should still be doable the way I understand it, I don't know why it isn't.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.