OpenVPN without NAT

networking vpn routing iptables openvpn
6,210

OpenVPN server will function perfectly with or without NAT/PAT. The problem lies with the machines receiving the packets from 10.1.1.0/24 subnet; they do not know how to reply to as they do not have a route for it (and each machine software firewall may also need to allow the 10.1.1.0/24 subnet specifically). Add a static route on the destination machines for the 10.1.1.0/24 subnet.

Share:
6,210

Related videos on Youtube

jjmil03
Author by

jjmil03

Updated on September 18, 2022

Comments

  • jjmil03
    jjmil03 over 1 year

    I'm trying to figure out how to route OpenVPN clients without using NAT/PAT. What I want to do is to route the IP address that they are assigned when clients authenticate to the OpenVPN server to the network (in the server.conf file). My OpenVPN server is directly connected to my gateway. I don't want it masquerading, as that makes it hard to track down individual clients by IP and causes other issues. I'm sure it's probably something that I need to do in iptables, but I'm at a loss for how to do it. Any help would be appreciated.

    OP clarifies

    "I want the IP that the server.conf is giving out to the clients to traverse the inside of my network - I might have confused some by suggesting that I don't want that IP address to work...if so I apologize. What I want is to not have to PAT between the tun0 interface and the inside interface of my OpenVPN server. I want each client to have their own IP address inside the network, not the IP address of the inside interface of the server."

    added by barlop

    Here is a diagram

    enter image description here

    • barlop
      barlop over 8 years
      I'm no expert, but isn't the point of a VPN that it's private, and part of the way it's private is by using a private IP range doing NAPT(NAT/PAT).. You may be right that it's possible but could you elaborate perhaps.. i'm curious. You may be right.. and the way it's private has nothing to do with NAT/PAT blocking incoming, but is done by firewall blocking incoming..
    • barlop
      barlop over 8 years
      Why don't you try it.. The VPN server could give out public IP addresses. Then see if the computer given a public IP address by the VPN, is (via that IP) inaccessible by any computer not connected to the VPN.. But if you do that, i'm not sure if it's really a public IP.. You could try it then connect from computer A inside th VPN to a computer (B) you control that is outside the VPN, and see at B, what the source IP is.
    • jjmil03
      jjmil03 over 8 years
      I'm not trying to re-route to the internet or anything like that. I have a scope of user IP addresses (lets say 10.1.1.0/24) That can pass through my network to the resources that the clients are allowed to access (lets say on the 192.168.10.0 network). I'm trying to use that range of user IP address inside of my network to access internal resources (the VPN does not redirect out to the internet). The OpenVPN server is not my gateway - I want to push all the traffic coming into the OpenVPN server to my gateway, without the NAT/PAT going on. Make sense?
    • barlop
      barlop over 8 years
      no I don't understand, I don't understand what "pass through my network" means, and I don't understand what "resources that the clients are allowed to access" means. And I don't know whether you are calling 10 your network or 192 your network.. or both.
    • barlop
      barlop over 8 years
      I'd note though that my notion of VPNs was incorrect.. They don't block incoming at all. They can work without NAT as well. They just allow a computer to connect remotely, joining the subnet of the other computers on the VPN. The privacy is the encryption.
    • jjmil03
      jjmil03 over 8 years
      I have a "services network" of 192.168.10.0/24. I have other networks of which users have no business on. That network is connected to a router (VLAN 10). The router is also connected to the OpenVPN server inside interface eth0 on VLAN 20. The OpenVPN server is giving out 10.1.1.0/24 addresses to the clients that connect to it (interface tun0). It has an outside facing interface (eth1) that receives connections. I do not want the OpenVPN server to PAT those addresses to the inside address (eth0) - I want the OpenVPN server to forward the traffic to the router via eth0
    • jjmil03
      jjmil03 over 8 years
      The reason I don't want the PAT going on is because that user subnet (10.1.1.0/24) can route to another part of my network as well that the network is preconfigured for - so changing it would be really painful. I also want to be able to troubleshoot better - and seeing a server with 50 connections, all the same IP address from the OpenVPN server, would be a nightmare. If each client has their own IP, it simplifies the process.
    • barlop
      barlop over 8 years

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to configure an OpenVPN Client Router
UFW or IPTables on Ubuntu for OpenVPN?
OpenVPN connecting but no internet access on Ubuntu 16.04 / 18.04 / 20.04
OpenVPN Client and Server on same machine - Server doesn't allow connections when client is connected
Split tunnel routing a specific port over OpenVPN on Ubuntu Server 12.04
iptables - how to keep source IP after forwarding?
Only routing certain traffic through VPN
openvpn - How to set client to use local gateway? aka use connection for resources on its network only
Openvpn connects and responds to ping but no internet access
Routing subnet to specific routing table with fwmark, direct to ISP and VPN