Why do I need Outbound NAT to go over VPN?

NAT
Log in to reply
  • V

    I have a site to site OpenVPN setup, partially like described here:

    https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_OpenVPN-connection_in_PfSense_2.1

    Besides there is a VPS with OpenVPN server on it

    OpenVPN server ip on VPS is 10.4.0.1.
    OpenVPN client IP is 10.4.0.5 - this is pfSense client
    Both are 10.4.0.0/24
    Net behind the pfSense with OpenVPN client is 192.168.5.0/24

    Now, there is another pfSense box with identical setup, which pfSense subnet is 192.168.15.0/24

    Let's say, I ping from 192.168.5.100 to 192.168.15.1, it comes as 192.168.5.100 => 10.4.0.5 =====> 10.4.0.1 =====> 10.4.0.15 => 192.168.15.1

    If I tcpdump on VPS, it shows that pinging from 10.4.0.5 and I get reply back. And it is Ok, since there is an outbound NAT, 192.168.5.100 => 10.4.0.5

    If I disable otbound NAT, I see ping on VPS, from 192.168.5.100 => 192.168.15.1 but no reply back.

    1.
    As much as I understand the only reason Outbound NAT in place there is to find a return route to 192.168.5.1? Is there a way to overcome it?
    Both, 192.168.5.0/24 and 192.168.15.0/24 are exposed in OpenVPN via iroute. And there is a corresponding route in server's openvpn.conf

    Here are relevant routes on VPS (OpenVPN Server):

    10.4.0.0/24 dev tun1  proto kernel  scope link  src 10.4.0.1
    192.168.5.0/24 via 10.4.0.1 dev tun1
    192.168.15.0/24 via 10.4.0.1 dev tun1

    2. Is there a way for a pfSense, to go to VPS services, listening on 10.4.0.1 without outbound NAT? I have no problem accessing it (Server tun IP) with outbound NAT disabled.
    But I need to keep Outbound NAT for #1, to access nets beyond the OVPN VPS
    I cannot just add another VPN server-client for that. Let's if I add one, VPS OVPN, 10.5.0.1.
    Than, if I add return route/iroute back to 192.168.5.0/24 it won't be added. Why? There is already route on server to 192.168.5.0/24 via 10.4.0.0/24 and 192.168.5.0/24 won't pass:

    /sbin/ip route add 192.168.5.0/24 via 10.5.0.1
    RTNETLINK answers: File exists.

    Obviously, this is a duplicate route

    The reason is, I am planning to move SIP Telephones to go over VPN with no NAT involved. Since all parts of private subnet are routable. Ideally, I can manage #1 and #2 so NAT is not needed at all

    0
  • Derelict
    LAYER 8 Netgate

    You don't need or want NAT.  Both LANs on either side of the OpenVPN instance need to have routes to each other.

    You need to push a route for 192.168.15.0/24 to the 192.168.5.0/24 site and push a route for 192.168.5.0/24 to the 192.168.15.0/24 site.

    Firewall rules on both sites OpenVPN tabs (or assigned interfaces) have to pass incoming connections from the desired sources.

    0
  • V

    Indeed, it worked.

    Starting with tutorial's rules, remote pfSense had OVN net access (10.4.0.0/24). While not for source machine which IP became non-masqueraded by NAT.

    Adding source net 192.168.5.0/24 rule made everything working, which makes sense.

    Time to clean up the rules and get rid of manual Outbound NAT. Especially, since pfSense 2.2 aliases made things way cleaner.

    Thanks a lot!

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy