Discussion:
[Openvpn-users] OpenVPN server behind NAT firewall?
Adam Funk
16 years ago
Permalink
I'm trying to set up an OpenVPN server on a machine behind a NAT
router, with VPN client addresses in a 192.168.x.y range that is a
subset of the general range used on the LAN, so I can open the correct
UDP port on the router and connect with a client on the WAN side ("the
internet").

Before I go into more detailed debugging, is this a reasonable thing
to do (that I should be able to get working) or is it doomed?
Eero Volotinen
16 years ago
Permalink
Post by Adam Funk
I'm trying to set up an OpenVPN server on a machine behind a NAT
router, with VPN client addresses in a 192.168.x.y range that is a
subset of the general range used on the LAN, so I can open the correct
UDP port on the router and connect with a client on the WAN side ("the
internet").
OpenVPN server (and client) works fine behind nat, only requirement is
to forward one tcp or udp port to openvpn server. On client mode port
forward is not ofcourse required.

If I understand correctly, you are using 192.168.x.y range on openvpn
tun interface? It is simpler to use 10.x.x.x address on tun interface
and modify address using simple SNAT/MASQ. (using same address range
on tun/tap interface usually messes up the routing table, at least in
the routing mode)


thanks,
--
Eero,
RHCE
Adam Funk
16 years ago
Permalink
Post by Eero Volotinen
Post by Adam Funk
I'm trying to set up an OpenVPN server on a machine behind a NAT
router, with VPN client addresses in a 192.168.x.y range that is a
subset of the general range used on the LAN, so I can open the correct
UDP port on the router and connect with a client on the WAN side ("the
internet").
OpenVPN server (and client) works fine behind nat, only requirement is
to forward one tcp or udp port to openvpn server. On client mode port
forward is not ofcourse required.
OK, that's what I thought. (I'll come back later with more details
about what is and isn't working.)
Post by Eero Volotinen
If I understand correctly, you are using 192.168.x.y range on openvpn
tun interface? It is simpler to use 10.x.x.x address on tun interface
and modify address using simple SNAT/MASQ. (using same address range
on tun/tap interface usually messes up the routing table, at least in
the routing mode)
The NAT router is a hardware one (rather than a box running
Smoothwall, for example). I don't think I have options on the router
to do what you suggest.
e***@welho.com
16 years ago
Permalink
Post by Adam Funk
Post by Eero Volotinen
If I understand correctly, you are using 192.168.x.y range on openvpn
tun interface? It is simpler to use 10.x.x.x address on tun interface
and modify address using simple SNAT/MASQ. (using same address range
on tun/tap interface usually messes up the routing table, at least in
the routing mode)
The NAT router is a hardware one (rather than a box running
Smoothwall, for example). I don't think I have options on the router
to do what you suggest.
Well, you need to setup static routes on the main router box.
Or you can use nat rules on openvpn box to make things "simpler"

This depend on configurations, some people usually prefer using SNAT
on openvpn box, since it makes things easier.

--
Eero

Continue reading on narkive:
Loading...