Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNAT to OpenVPN tunnel endpoint

    Scheduled Pinned Locked Moved NAT
    3 Posts 2 Posters 902 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W Offline
      whiskerp
      last edited by

      I have set up an OpenVPN endpoint with a "redirect def1" so that a route is created so that all traffic (other than to the endpoint itself) is routed via the OpenVPN tunnel. When I route from a LAN client, it works, and traffic to any internet address except the VPN endpoint goes via the tunnel.

      Is there a way to NAT traffic incoming from the LAN interface such that if a LAN client tries to a access the OpenVPN endpoint's internet address, the destination is rewritten to the remote tunnel endpoint which is 192.168.22.1? Basically, I would like all traffic from my LAN to get sent over the tunnel including that to the endpoint's external IP address.

      Of course, I can't use a route because pfsense itself needs to be able to route to the endpoints external IP address over the internet.

      Thanks
      Peter

      1 Reply Last reply Reply Quote 0
      • P Offline
        phil.davis
        last edited by

        Will a NAT 1:1 on packets arriving on LAN for the external VPN IP, NATing them to the internal VPN tunnel work?
        That should not break pfSense itself getting out and establishing the VPN link.

        NAT-1-1-from-LAN-to-VPN.png
        NAT-1-1-from-LAN-to-VPN.png_thumb

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • W Offline
          whiskerp
          last edited by

          @phil.davis:

          Will a NAT 1:1 on packets arriving on LAN for the external VPN IP, NATing them to the internal VPN tunnel work?
          That should not break pfSense itself getting out and establishing the VPN link.

          OK. I've got it to work by adding a Port Forward as follows:

          Interface: LAN
          proto: UDP
          Src addr: *
          Src ports: *
          Dest addr.: external address of endpoint
          Dest. ports: 1-65535
          NAT IP: 192.168.22.1
          NAT Ports: 1-65536

          I've added a similar rule for TCP (adding a TCP/UDP rule didn't seem to work somehow) and also for ICMP.

          regards
          Peter

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.