Hi! Could someone help me with next problem. I have any sourses that have rules destination nat in external interface. I wrote rules for reflection nat for internal network and all works fine. But with openvpn same rules dont work.
Rule “NAT Reflection: INSIDE”, rule “NAT Reflection: OpenVPN” dont work.
No, my WAN interface is eth1.
I only copied the rule reflection NAT for internal network, that was copied from docs and work fine, but I dont understand this syntax for nat rules
The masquerade rules work like:
-if packet leaves on outbound interface, and matches filter rules, change source IP address into outbound interface IP
Those matches are peculiar, as both original source and destination address must be in same subnet.
Post full config.
sniffing packets using tcpdump on eth0 and vtun0 might show what happens
What traffic do you want to NAT for? As the rule is configured, it only matches for traffic from one OpenVPN client to another OpenVPN client. This traffic should already work without the NAT rule.
On LAN interface, these reflection rule is required for hairpin. You try to do the same for OpenVPN clients, see NAT destination rule 12. But that isn’t hairpin, as packet enters on vtun, and leaves on LAN interface.
Your problem: OpenVPN clients automatically add a /32 route for the OpenVPN server. You’re trying to push a route to the same address, which isn’t accepted…I hope.
And if it does get accepted, it will break the VPN on the client, sending already tunneled traffic into the tunnel endlessly
“What traffic do you want to NAT for?” - I want to NAT http traffic from IP of NAT interface to OpenVPN LAN. “But that isn’t hairpin” - Yes, I understand it and deleted rule 210. “OpenVPN clients automatically add a /32 route for the OpenVPN server” - No, OpenVPN don’t add this rule and traffic to IP of OpenVPN server gone through default route of client, through internet.
For test I added second IP to WAN interface and added nat rules and push route on openvpn server, and all works fine.
I haven’t any ideas how I can solve this.
Just tested on openvpn setup, and indeed I don’t see such /32 route added to client routing table. Although I’m pretty sure I have seen such route on vpn-client (OpenVPN??) previously.
Maybe you do get such route when a new default route is pushed through the tunnel
Anyway, the /32 route you’re trying to push isn’t acceptable, as it would break the VPN tunnel itself.
But… How it works on my old hard simple router?
I setup OpenVPN and has access to WAN IP from ovpn network without any problem…
Don’t understand, sorry.
I sure, but it was on old router, which break now
I sure, because firewall rules on that router deny access to all ports from internet, but whet I added route in openvpn network to WAN IP I has access to ports which I needed.
i tried it a little bit. But i can’t get your setup 100% emulated.
i have one problem with openvpn vtun0 server push-route 123.123.123.158/32
with the this route i don’t get a vpn tunnel open, because this is also the listen ip of the openvpn server.
without, i don’t need a harpin nat rule for openvpn and all worked. I get the Service behind the SNAT from openvpn client and from the client in the same subnet via the external ip.