OpenVPN Server and client, NAT issues… 50% packet loss, wrong routing.
-
Hi all,
I'm running 2.1-Release (i386) and I've spotted an interesting issue when running OpenVPN with both Server and clients.
I have created an OpenVPN server (Access, SSS+ Auth), all was running fine, iPhone and the like connect and work well.
I then added a standard road warrior client certificate into my office, with my normal method of NATing all my LAN traffic bound for the office subnet to be the interface address. (So it looks like a single client).
Outbound Nat:
Interface: OpenVPN
Source: 192.168.0.0/24
Destination: 10.xx.0.0/16
TranslationNat Address: Interface addressTesting with a ping it was only working on alternative pings:
$ ping 10.xx.18.2 PING 10.xx.18.2 (10.xx.18.2): 56 data bytes Request timeout for icmp_seq 0 Request timeout for icmp_seq 1 Request timeout for icmp_seq 2 Request timeout for icmp_seq 3 ^Cctrl-c, then immediately ping again:
$ ping 10.xx.18.2 PING 10.xx.18.2 (10.xx.18.2): 56 data bytes 64 bytes from 10.xx.18.2: icmp_seq=0 ttl=62 time=17.465 ms 64 bytes from 10.xx.18.2: icmp_seq=1 ttl=62 time=36.284 ms 64 bytes from 10.xx.18.2: icmp_seq=2 ttl=62 time=17.079 ms 64 bytes from 10.xx.18.2: icmp_seq=3 ttl=62 time=17.723 ms ^Cand so on.
Checking with a packet capture it looked like it was NATing to the OpenVPN server before trying to send it down the tunnel.
Example packet capture on the OpenVPN interface:
12 2013-12-06 13:47:23.047396 10.xx.16.6 10.xx.18.2 ICMP 88 Echo (ping) request id=0xa65d, seq=1/256, ttl=63
16 2013-12-06 13:47:25.494647 192.168.168.1 10.xx.18.2 ICMP 88 Echo (ping) request id=0xe044, seq=0/0, ttl=6310.xx.16.6 = the assigned OpenVPN road warrior client address
192.168.168.1 = the OpenVPN server on my pfsense.I've deleted my server and the link to the office working fine.
Any suggestions as to how I can run both a server and client in this setup? I don't want to set up a dedicated routed VPN service on the corporate network just for this - surely I can use this…?
-
I know it's bad form to answer yourself, but I still haven't mange to get this working.
Can anyone recreate this, or have I found an odd one?
-
I never noticed that you can pick "OpenVPN" as the interface for outbound NAT. I would not think that will work nicely when you have multiple OpenVPN instances (server and/or client) because you are most likely to want to NAT differently for traffic exiting each particular OpenVPN instance.
I expect you need to assign your OpenVPN instances as actual interfaces. Then you can put firewall and NAT rules for each interface. -
I'm not entirely sure how to do that.. I'll have to take a closer look.
What I don't get though, is why it's doing it the way that it is.
Surely, a NAT rule of "From this subnet -> To Another subnet, NAT to this address" would work or it wouldn't, not only do it on alternate IP sessions.
-
Bad form in posting back to my old posts, but just to let you know, that I've finally fixed it.
Phil, I dug around regarding your suggestion and found this:
https://forum.pfsense.org/index.php?topic=76015.0
All working as intended!
I've not restarted any of my client VPN connections, or rebooted, but I'm sure that if the client comes up with same interface (ovpnc1) then I consider myself a happy chap.
Only 1 year in the making… wow.