OpenVPN access to WAN IP over NAT returns real source IP and not vpn ip address



  • I have a pfsense 2.1 setup (apu pcengines.ch board) with openvpn installed mainly according to http://www.packetwatch.net/documents/guides/2012050801.php, working as expected.
    WAN access occurs over DSL, single static IP address (80.254.y.z)
    LAN network  is 192.168.1.0/24, internal LAN IP address of the pfsense router is 192.168.1.100
    OpenVPN network 192.168.42.0/24.  "Force all client generated traffic through the tunnel." active on both server and client, attributed IP here 192.168.42.6.
    OpenVPN Client terminal over cable network, with dynamic IP address 194.x.y.z.

    http://WAN_IP and https://WAN_IP accesses from any external IP are served via NAT by a server running internally under the IP 192.168.1.151.
    I have a test page under http://192.168.1.151/ip.php which simply returns the value of $_SERVER["REMOTE_HOST"].

    My issue is the fifth line:

    • when accessing http://192.168.1.151/ip.php  from the LAN, it returns the IP of the client (another 192.168.1.0/24 address) : ok

    • when accessing http://WAN_IP/ip.php  from outside (internet), it returns the real IP of the client : ok

    • when accessing http://WAN_IP/ip.php  from the LAN, it returns  192.168.1.100  (the IP of the router) :  still ok  (even if getting the real LAN IP address would be nice)

    • when accessing http://192.168.1.151/ip.php after activating the VPN client, the page returns 192.168.42.6 from VPN range : ok

    • BUT when accessing http://WAN_IP/ip.php with active VPN, the page returns the real IP address of the client (194.x.y.z), and not 192.168.42.x as I would expect.

    I tried to "fix" this by following https://forum.pfsense.org/index.php/topic,65793.msg359377.html  ("OpenVPN to IP Alias, NAT reflection not working")  or  https://forum.pfsense.org/index.php?topic=43507.0 ("OpenVpn and NAT for same subnet"), but I failed until now, even if I guess it might be the right direction. What do you think ?

    Any other suggestion would be more than welcome :)  Many thanks in advance & regards.



  • It sounds like "Force all client generated traffic through the tunnel." is not happening.
    What happens if you bring up the OpenVPN link and browse to http://checkip.dyndns.org/?
    That should show you the pfSense WAN public IP, because your traffic should be going over the tunnel to pfSense and then get NAT'd out the pfSense WAN.



  • Thanks for your answer Phil !

    @phil.davis:

    It sounds like "Force all client generated traffic through the tunnel." is not happening.
    What happens if you bring up the OpenVPN link and browse to http://checkip.dyndns.org/?

    It works as expected, showing "Current IP Address: 80.254.y.z". 
    The problem only occurs when trying to access the NAT'ed server over the WAN IP address.



  • Initial issue is still not solved, and today we noticed another problematic phenomena :  if the client initiating the OpenVPN connection has a local IP in the same range as our office LAN (also 192.168.1.0/24), it can only access external Hosts over the vpn  (for example www.pfsense.org), but cannot connect to any office LAN Hosts (192.168.1.151 for example).

    This can be fixed by changing the DHCP Range on client side, but is there really no other way ? I thought openvpn would be able to handle this somehow differently.  Otherwise I will probably have to change the range of our office LAN to something "better" dann 192.168.1.0/24…

    Merci & regards.



  • Why wouldn't you instead change the IP Tunnel Network?  I thought I remembered reading somewhere that you shouldn't use the same subnet for your OpenVPN clients and LAN clients.  My local LAN is 10.10.0.0/16 and I have the OpenVPN clients using 192.168.1.0/24.



  • The private LAN that the client happens to be on needs to have a different subnet from the remote LANs it needs to reach. Because the client does need to talk locally to at least its default gateway to actually send the encrypted OpenVPN packets through real networks from itself to the server on pfSense.
    Yes, change your LAN to some more obscure private subnet.