OpenVPN and reflection (hairpin) NAT

thorvaldr · June 17, 2019, 4:05pm

Hi! Could someone help me with next problem. I have any sourses that have rules destination nat in external interface. I wrote rules for reflection nat for internal network and all works fine. But with openvpn same rules dont work.
Rule “NAT Reflection: INSIDE”, rule “NAT Reflection: OpenVPN” dont work.

 rule 200 {
     description "NAT Reflection: INSIDE"
     destination {
         address 10.10.10.0/24
     }
     outbound-interface eth0
     source {
         address 10.10.10.0/24
     }
     translation {
         address masquerade
     }
 }

 rule 210 {
     description "NAT Reflection: OpenVPN"
     destination {
         address 172.16.0.0/24
     }
     outbound-interface vtun0
     source {
         address 172.16.0.0/24
     }
     translation {
         address masquerade
     }
 }

rob · June 17, 2019, 9:02pm

hi in rule 210 you use the vtun0 as outbound interface, so the address of vtun0 would be used as masquerade address.

i think eth0 is your WAN interface?

16again · June 17, 2019, 9:37pm

On rule 210, both source and destination are on the same subnet…which looks very suspicious to me

thorvaldr · June 18, 2019, 7:57am

No, my WAN interface is eth1.
I only copied the rule reflection NAT for internal network, that was copied from docs and work fine, but I dont understand this syntax for nat rules

thorvaldr · June 18, 2019, 8:01am

It just a copy from documentation.

16again · June 18, 2019, 9:48am

The masquerade rules work like:
-if packet leaves on outbound interface, and matches filter rules, change source IP address into outbound interface IP
Those matches are peculiar, as both original source and destination address must be in same subnet.
Post full config.
sniffing packets using tcpdump on eth0 and vtun0 might show what happens

rob · June 18, 2019, 12:31pm

you use this example from docu, the harpin part?

if it is possible to provide your full config? or if not as a minimum full interface, routing, and nat config

thorvaldr · June 18, 2019, 1:06pm

Yes, that example.
My configs for interfaces, routing and nat

Summary

show interfaces

ethernet eth0 {
address 192.168.0.1/24
description INSIDE
firewall {
}
}
ethernet eth1 {
address 123.123.123.158/30
description OUTSIDE
firewall {
in {
name OUTSIDE-IN
}
local {
name OUTSIDE-LOCAL
}
}
}
loopback lo {
}
openvpn vtun0 {
mode server
protocol tcp-passive
server {
domain-name corp.9-lab.com
name-server 192.168.0.1
push-route 192.168.0.0/24
push-route 123.123.123.158/32
subnet 172.16.0.0/24
}
tls {
ca-cert-file
cert-file
dh-file
key-file
}
}

show nat source

rule 100 {
outbound-interface eth1
source {
address 192.168.0.0/24
}
translation {
address masquerade
}
}
rule 200 {
description “NAT Reflection: INSIDE”
destination {
address 192.168.0.0/24
}
outbound-interface eth0
source {
address 192.168.0.0/24
}
translation {
address masquerade
}
}
rule 210 {
description “NAT Reflection: OpenVPN”
destination {
address 172.16.0.0/24
}
outbound-interface vtun0
source {
address 172.16.0.0/24
}
translation {
address masquerade
}
}
rule 300 {
outbound-interface eth1
source {
address 172.16.0.0/24
}
translation {
address masquerade
}
}

show nat destination

rule 10 {
description “Port Forward: HTTP”
destination {
port 80
}
inbound-interface eth1
protocol tcp
translation {
address 192.168.0.10
}
}
rule 11 {
description “Port Forward: HTTP”
destination {
address 123.123.123.158
port 80
}
inbound-interface eth0
protocol tcp
translation {
address 192.168.0.10
}
}
rule 12 {
description “Port Forward: HTTP”
destination {
address 123.123.123.158
port 80
}
inbound-interface vtun0
protocol tcp
translation {
address 192.168.0.10
}
}

show protocols static route

route 0.0.0.0/0 {
next-hop 123.123.123.157 {
distance 1
}
}

16again · June 18, 2019, 3:07pm

What traffic do you want to NAT for? As the rule is configured, it only matches for traffic from one OpenVPN client to another OpenVPN client. This traffic should already work without the NAT rule.

On LAN interface, these reflection rule is required for hairpin. You try to do the same for OpenVPN clients, see NAT destination rule 12. But that isn’t hairpin, as packet enters on vtun, and leaves on LAN interface.

Your problem: OpenVPN clients automatically add a /32 route for the OpenVPN server. You’re trying to push a route to the same address, which isn’t accepted…I hope.

And if it does get accepted, it will break the VPN on the client, sending already tunneled traffic into the tunnel endlessly

thorvaldr · June 20, 2019, 10:36am

“What traffic do you want to NAT for?” - I want to NAT http traffic from IP of NAT interface to OpenVPN LAN.
“But that isn’t hairpin” - Yes, I understand it and deleted rule 210.
“OpenVPN clients automatically add a /32 route for the OpenVPN server” - No, OpenVPN don’t add this rule and traffic to IP of OpenVPN server gone through default route of client, through internet.
For test I added second IP to WAN interface and added nat rules and push route on openvpn server, and all works fine.
I haven’t any ideas how I can solve this.

16again · June 20, 2019, 1:40pm

Just tested on openvpn setup, and indeed I don’t see such /32 route added to client routing table. Although I’m pretty sure I have seen such route on vpn-client (OpenVPN??) previously.
Maybe you do get such route when a new default route is pushed through the tunnel

Anyway, the /32 route you’re trying to push isn’t acceptable, as it would break the VPN tunnel itself.

thorvaldr · June 20, 2019, 2:00pm

But… How it works on my old hard simple router?
I setup OpenVPN and has access to WAN IP from ovpn network without any problem…
Don’t understand, sorry.

16again · June 20, 2019, 6:54pm

Are you sure access to WAN IP uses OpenVPN tunnel?
Sniffer will tell

thorvaldr · June 21, 2019, 9:42am

I sure, but it was on old router, which break now
I sure, because firewall rules on that router deny access to all ports from internet, but whet I added route in openvpn network to WAN IP I has access to ports which I needed.

16again · June 21, 2019, 2:31pm

Why not simply access the internal device on its internal IP address? That what VPNs were made for to begin with

thorvaldr · June 27, 2019, 12:04pm

Because we have some services, that configured with domain name and external ip address.

rob · June 30, 2019, 3:51pm

Hey,

any news on your problem?
the old router was also an vyos? if yes, in which version?

wenn i have some time in the next days i will test this in my lab.

rob · July 2, 2019, 8:57pm

Hi @thorvaldr,

i tried it a little bit. But i can’t get your setup 100% emulated.

i have one problem with openvpn vtun0 server push-route 123.123.123.158/32

with the this route i don’t get a vpn tunnel open, because this is also the listen ip of the openvpn server.
without, i don’t need a harpin nat rule for openvpn and all worked. I get the Service behind the SNAT from openvpn client and from the client in the same subnet via the external ip.

So do you need the this push-route option?