Why do I need Outbound NAT to go over VPN?
I have a site to site OpenVPN setup, partially like described here:
Besides there is a VPS with OpenVPN server on it
OpenVPN server ip on VPS is 10.4.0.1.
OpenVPN client IP is 10.4.0.5 - this is pfSense client
Both are 10.4.0.0/24
Net behind the pfSense with OpenVPN client is 192.168.5.0/24
Now, there is another pfSense box with identical setup, which pfSense subnet is 192.168.15.0/24
Let's say, I ping from 192.168.5.100 to 192.168.15.1, it comes as 192.168.5.100 => 10.4.0.5 =====> 10.4.0.1 =====> 10.4.0.15 => 192.168.15.1
If I tcpdump on VPS, it shows that pinging from 10.4.0.5 and I get reply back. And it is Ok, since there is an outbound NAT, 192.168.5.100 => 10.4.0.5
If I disable otbound NAT, I see ping on VPS, from 192.168.5.100 => 192.168.15.1 but no reply back.
As much as I understand the only reason Outbound NAT in place there is to find a return route to 192.168.5.1? Is there a way to overcome it?
Both, 192.168.5.0/24 and 192.168.15.0/24 are exposed in OpenVPN via iroute. And there is a corresponding route in server's openvpn.conf
Here are relevant routes on VPS (OpenVPN Server):
10.4.0.0/24 dev tun1 proto kernel scope link src 10.4.0.1
192.168.5.0/24 via 10.4.0.1 dev tun1
192.168.15.0/24 via 10.4.0.1 dev tun1
2. Is there a way for a pfSense, to go to VPS services, listening on 10.4.0.1 without outbound NAT? I have no problem accessing it (Server tun IP) with outbound NAT disabled.
But I need to keep Outbound NAT for #1, to access nets beyond the OVPN VPS
I cannot just add another VPN server-client for that. Let's if I add one, VPS OVPN, 10.5.0.1.
Than, if I add return route/iroute back to 192.168.5.0/24 it won't be added. Why? There is already route on server to 192.168.5.0/24 via 10.4.0.0/24 and 192.168.5.0/24 won't pass:
/sbin/ip route add 192.168.5.0/24 via 10.5.0.1
RTNETLINK answers: File exists.
Obviously, this is a duplicate route
The reason is, I am planning to move SIP Telephones to go over VPN with no NAT involved. Since all parts of private subnet are routable. Ideally, I can manage #1 and #2 so NAT is not needed at all
You don't need or want NAT. Both LANs on either side of the OpenVPN instance need to have routes to each other.
You need to push a route for 192.168.15.0/24 to the 192.168.5.0/24 site and push a route for 192.168.5.0/24 to the 192.168.15.0/24 site.
Firewall rules on both sites OpenVPN tabs (or assigned interfaces) have to pass incoming connections from the desired sources.
Indeed, it worked.
Starting with tutorial's rules, remote pfSense had OVN net access (10.4.0.0/24). While not for source machine which IP became non-masqueraded by NAT.
Adding source net 192.168.5.0/24 rule made everything working, which makes sense.
Time to clean up the rules and get rid of manual Outbound NAT. Especially, since pfSense 2.2 aliases made things way cleaner.
Thanks a lot!