Why do I need Outbound NAT to go over VPN?



  • I have a site to site OpenVPN setup, partially like described here:

    https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_OpenVPN-connection_in_PfSense_2.1

    Besides there is a VPS with OpenVPN server on it

    OpenVPN server ip on VPS is 10.4.0.1.
    OpenVPN client IP is 10.4.0.5 - this is pfSense client
    Both are 10.4.0.0/24
    Net behind the pfSense with OpenVPN client is 192.168.5.0/24

    Now, there is another pfSense box with identical setup, which pfSense subnet is 192.168.15.0/24

    Let's say, I ping from 192.168.5.100 to 192.168.15.1, it comes as 192.168.5.100 => 10.4.0.5 =====> 10.4.0.1 =====> 10.4.0.15 => 192.168.15.1

    If I tcpdump on VPS, it shows that pinging from 10.4.0.5 and I get reply back. And it is Ok, since there is an outbound NAT, 192.168.5.100 => 10.4.0.5

    If I disable otbound NAT, I see ping on VPS, from 192.168.5.100 => 192.168.15.1 but no reply back.

    1.
    As much as I understand the only reason Outbound NAT in place there is to find a return route to 192.168.5.1? Is there a way to overcome it?
    Both, 192.168.5.0/24 and 192.168.15.0/24 are exposed in OpenVPN via iroute. And there is a corresponding route in server's openvpn.conf

    Here are relevant routes on VPS (OpenVPN Server):

    10.4.0.0/24 dev tun1  proto kernel  scope link  src 10.4.0.1
    192.168.5.0/24 via 10.4.0.1 dev tun1
    192.168.15.0/24 via 10.4.0.1 dev tun1

    2. Is there a way for a pfSense, to go to VPS services, listening on 10.4.0.1 without outbound NAT? I have no problem accessing it (Server tun IP) with outbound NAT disabled.
    But I need to keep Outbound NAT for #1, to access nets beyond the OVPN VPS
    I cannot just add another VPN server-client for that. Let's if I add one, VPS OVPN, 10.5.0.1.
    Than, if I add return route/iroute back to 192.168.5.0/24 it won't be added. Why? There is already route on server to 192.168.5.0/24 via 10.4.0.0/24 and 192.168.5.0/24 won't pass:

    /sbin/ip route add 192.168.5.0/24 via 10.5.0.1
    RTNETLINK answers: File exists.

    Obviously, this is a duplicate route

    The reason is, I am planning to move SIP Telephones to go over VPN with no NAT involved. Since all parts of private subnet are routable. Ideally, I can manage #1 and #2 so NAT is not needed at all


  • LAYER 8 Netgate

    You don't need or want NAT.  Both LANs on either side of the OpenVPN instance need to have routes to each other.

    You need to push a route for 192.168.15.0/24 to the 192.168.5.0/24 site and push a route for 192.168.5.0/24 to the 192.168.15.0/24 site.

    Firewall rules on both sites OpenVPN tabs (or assigned interfaces) have to pass incoming connections from the desired sources.



  • Indeed, it worked.

    Starting with tutorial's rules, remote pfSense had OVN net access (10.4.0.0/24). While not for source machine which IP became non-masqueraded by NAT.

    Adding source net 192.168.5.0/24 rule made everything working, which makes sense.

    Time to clean up the rules and get rid of manual Outbound NAT. Especially, since pfSense 2.2 aliases made things way cleaner.

    Thanks a lot!


Log in to reply