DNAT to OpenVPN tunnel endpoint



  • I have set up an OpenVPN endpoint with a "redirect def1" so that a route is created so that all traffic (other than to the endpoint itself) is routed via the OpenVPN tunnel. When I route from a LAN client, it works, and traffic to any internet address except the VPN endpoint goes via the tunnel.

    Is there a way to NAT traffic incoming from the LAN interface such that if a LAN client tries to a access the OpenVPN endpoint's internet address, the destination is rewritten to the remote tunnel endpoint which is 192.168.22.1? Basically, I would like all traffic from my LAN to get sent over the tunnel including that to the endpoint's external IP address.

    Of course, I can't use a route because pfsense itself needs to be able to route to the endpoints external IP address over the internet.

    Thanks
    Peter



  • Will a NAT 1:1 on packets arriving on LAN for the external VPN IP, NATing them to the internal VPN tunnel work?
    That should not break pfSense itself getting out and establishing the VPN link.




  • @phil.davis:

    Will a NAT 1:1 on packets arriving on LAN for the external VPN IP, NATing them to the internal VPN tunnel work?
    That should not break pfSense itself getting out and establishing the VPN link.

    OK. I've got it to work by adding a Port Forward as follows:

    Interface: LAN
    proto: UDP
    Src addr: *
    Src ports: *
    Dest addr.: external address of endpoint
    Dest. ports: 1-65535
    NAT IP: 192.168.22.1
    NAT Ports: 1-65536

    I've added a similar rule for TCP (adding a TCP/UDP rule didn't seem to work somehow) and also for ICMP.

    regards
    Peter