disable NAT in openvpn
On the OpenVPN server there must be a rule like
iptables -t nat -A POSTROUTING -i tun0 -j MASQUERADE
You can find it with
iptables-t nat -L -n -v
You must suppress this rule.
If, as you claim (but did you run
iptables -t nat -L -n -v
to double-check there are no iptables rules at at play?), the only other possibility is that natting is done through the iproute2
suite. Do
cat /etc/iproute2/rt_tables
jot down the names of the table you have, then issue
ip route table TABLE_NAME | grep ^nat
and see whether you can find some output. If you do, it means that the packet headers are rewritten by the iproute2
command ip route add nat ..
. All you need to do is to delete the routing table in question.
These are the two possibilities, tertium non datur.
Now you need to add a rule to the router to route packets for the OpenVPN subnet 10.0.0.0/24 via the OpenVPNserver (let's assume it has IP address192.168.0.127). If the router were a Linux machine the following command would do:
ip route add 10.0.0.0/24 via 192.168.0.127
Most routers, like Cisco's , have an Advanced routing
capability, to be found in theri GUI. You should use that to specify the route above.
Related videos on Youtube
Hans
Updated on September 18, 2022Comments
-
Hans almost 2 years
I'm having a similar problem to this: OpenVPN without NAT
Seems it wasn't answered yet.
Description of my situation: I have an openvpn server on network A which another admin installed before he left the company, now several users and servers connect to that openvpn server to access network A and get NATed so all requests from vpn users/servers have the source address from the openvpn server.
Now I need a server on network A to access one of the openvpn clients/servers and want to disable NAT in openvpn to expose the "vpn internal" IP addresses of these clients and servers.
I know that I need to add a route on Network A to access the vpn network, that's clear to me but I cannot see how to disable NAT in openvpn, also there are no IPtables rules present so some openvpn internal NAT mechanism seems to be in use.
Which options I need to check to disable NAT?
-
Hans almost 9 yearsAs I said there are no IPtables rules present on the openvpn server. I monitored network traffic using tcpdump on the openvpn server, when looking at the tun device of openvpn, I can see traffic from source address of the vpn-client tunnel IP and destination IP is on network A. When looking at the network A interface of the vpn server, I can see the same packets with source IP of the openvpn server instead of the tunnel-ip of that vpn user. Any ideas which parameter to check?
-
MariusMatutiae almost 9 years@Hans Have you looked at the output of
iptables -t nat -L -n -v
on the OpenVPN server? -
MariusMatutiae almost 9 years@Hans Pls re-read my post for new info.
-
Hans almost 9 yearsThank you, I did not check iptables -t nat -L -n -v, only iptables -L (as I do usually) and it did not show the nat table (-t nat). Now I found that rule which was present, then I searched in /etc where this is configured and found that the guy added it to /etc/rc.local I removed the nat rule (iptables -t nat -F) and now tcpdump shows the traffic as expected :)