Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Why do I need Outbound NAT to go over VPN?

    Scheduled Pinned Locked Moved NAT
    3 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      Vetal
      last edited by

      I have a site to site OpenVPN setup, partially like described here:

      https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_OpenVPN-connection_in_PfSense_2.1

      Besides there is a VPS with OpenVPN server on it

      OpenVPN server ip on VPS is 10.4.0.1.
      OpenVPN client IP is 10.4.0.5 - this is pfSense client
      Both are 10.4.0.0/24
      Net behind the pfSense with OpenVPN client is 192.168.5.0/24

      Now, there is another pfSense box with identical setup, which pfSense subnet is 192.168.15.0/24

      Let's say, I ping from 192.168.5.100 to 192.168.15.1, it comes as 192.168.5.100 => 10.4.0.5 =====> 10.4.0.1 =====> 10.4.0.15 => 192.168.15.1

      If I tcpdump on VPS, it shows that pinging from 10.4.0.5 and I get reply back. And it is Ok, since there is an outbound NAT, 192.168.5.100 => 10.4.0.5

      If I disable otbound NAT, I see ping on VPS, from 192.168.5.100 => 192.168.15.1 but no reply back.

      1.
      As much as I understand the only reason Outbound NAT in place there is to find a return route to 192.168.5.1? Is there a way to overcome it?
      Both, 192.168.5.0/24 and 192.168.15.0/24 are exposed in OpenVPN via iroute. And there is a corresponding route in server's openvpn.conf

      Here are relevant routes on VPS (OpenVPN Server):

      10.4.0.0/24 dev tun1  proto kernel  scope link  src 10.4.0.1
      192.168.5.0/24 via 10.4.0.1 dev tun1
      192.168.15.0/24 via 10.4.0.1 dev tun1

      2. Is there a way for a pfSense, to go to VPS services, listening on 10.4.0.1 without outbound NAT? I have no problem accessing it (Server tun IP) with outbound NAT disabled.
      But I need to keep Outbound NAT for #1, to access nets beyond the OVPN VPS
      I cannot just add another VPN server-client for that. Let's if I add one, VPS OVPN, 10.5.0.1.
      Than, if I add return route/iroute back to 192.168.5.0/24 it won't be added. Why? There is already route on server to 192.168.5.0/24 via 10.4.0.0/24 and 192.168.5.0/24 won't pass:

      /sbin/ip route add 192.168.5.0/24 via 10.5.0.1
      RTNETLINK answers: File exists.

      Obviously, this is a duplicate route

      The reason is, I am planning to move SIP Telephones to go over VPN with no NAT involved. Since all parts of private subnet are routable. Ideally, I can manage #1 and #2 so NAT is not needed at all

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        You don't need or want NAT.  Both LANs on either side of the OpenVPN instance need to have routes to each other.

        You need to push a route for 192.168.15.0/24 to the 192.168.5.0/24 site and push a route for 192.168.5.0/24 to the 192.168.15.0/24 site.

        Firewall rules on both sites OpenVPN tabs (or assigned interfaces) have to pass incoming connections from the desired sources.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • V
          Vetal
          last edited by

          Indeed, it worked.

          Starting with tutorial's rules, remote pfSense had OVN net access (10.4.0.0/24). While not for source machine which IP became non-masqueraded by NAT.

          Adding source net 192.168.5.0/24 rule made everything working, which makes sense.

          Time to clean up the rules and get rid of manual Outbound NAT. Especially, since pfSense 2.2 aliases made things way cleaner.

          Thanks a lot!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.