NAT client side

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
christiannan
OpenVpn Newbie
Posts: 2
Joined: Mon Nov 08, 2010 4:13 am

NAT client side

Post by christiannan » Mon Nov 08, 2010 5:27 am

Hi,

I have a basic working configuration where clients can connect to the server and gain access to IPs on the network the server is on. So far, so good, it's plain vanilla.

I have one central network at my own office (192.168.200.0/24). I have one machine being the OpenVPN server at 192.168.200.31, with UDP VPN accessible from the Internet.

I have customers with their own networks (all manners of private networks, 192.168.x.x, 10.x.x.x, ...).

My goal:

1. I want to connect all those networks to mine via a VPN solution (from a box I put at the customer premise) and allow my own hosts (from my network) to talk to devices on each customer's network.
2. I do not want/cannot make any routing changes on the customer's network (all default traffic goes through their regular firewall to the Internet).
3. To simplify things, I'm assuming none of my present or future customers uses 192.168.200.0/24 for their internal network.

I would think that having my own core router know about the routes to my customers' networks to point to the OpenVPN gateway would be enough to get packets to the appropriate client's network. It's going to be a big routing table but nothing out of the ordinary (we're not talking about heavy traffic).

The problem with routing packets back to my network is that all the hosts (or even just the core router) at *all* my clients would need to know about my own network's route, which contradicts point #2 above.

The solution on paper would be to make packets coming from my network and exiting the VPN client on its eth0 port to *appear* to come from the VPN client, and not my network. This way the traffic would be local to the customer network and no routing would be necessary. This would mean NATing traffic out of the VPN client to the customer's network IP space.

I'm just not sure how to go about implementing this solution with iptables.

My first problem is that I can't even ping the VPN client's eth0 interface (192.168.100.112) from the VPN server (192.168.200.31). I can ping the tun0 interface (5.4.0.2) with no problem.

I guess once that hurdle is passed then I will add a static route (route add -net 192.168.100.0 netmask 255.255.255.0 gw 192.168.200.31 metric 101) to another host on my network and see if that host can ping 192.168.100.112 (eth0 on the VPN client).

Then and only then can I tackle the NATing problem so that packets coming from tun0 on the VPN client and destinated to 192.168.100.0/24 will exit eth0 as coming from 192.168.100.112.

Any help with this would be greatly appreciated,
Thanks,

Christian

User avatar
krzee
Forum Team
Posts: 728
Joined: Fri Aug 29, 2008 5:42 pm

Re: NAT client side

Post by krzee » Tue Nov 16, 2010 9:19 am

My first problem is that I can't even ping the VPN client's eth0 interface (192.168.100.112) from the VPN server (192.168.200.31). I can ping the tun0 interface (5.4.0.2) with no problem.
https://www.secure-computing.net/wiki/index.php/OpenVPN
see the settings that are for the clients, basically you will need iroute in a ccd entry (on the server, specific to the client), and a route entry for the server config (do not push these routes since you do not want them adding routes for eachother)
then you will push route for the server lan

all machines running openvpn for this purpose (server and clients) will need ip forwarding enabled.

I call this method of bypassing proper routing the "nat hack", and am usually against using it... but you seem to have found a rather valid reason for it.

christiannan
OpenVpn Newbie
Posts: 2
Joined: Mon Nov 08, 2010 4:13 am

Re: NAT client side

Post by christiannan » Tue Nov 16, 2010 2:48 pm

Thank you krzee. I will try this method in the coming weeks and post back my results.

Post Reply