VPN client internet traffic originates with Access Server IP

[bickyz]

Hi, I have Access Server behind firewall/web filtering appliance.
We have web filtering rules that applies to all the users/workstations except to the servers which get unfiltered access.

Access Server setup with "Yes using Routing" option. It has also been setup to tunnel the network & internet traffic to the company LAN.
For some reason vpn client internet access is not getting filtered, traffic on web filtering system see them as coming from the Access Server (like in NAT mode). Have I not setup something correctly ? Any help would be much appreciated, thank you.

[openvpn_inc]

Hello,

From your description it is not 100% clear to me what you were trying to achieve exactly, but what I understood from you is that you gave access to some resources in Access Server via 'use routing', but you are seeing Internet traffic from your VPN clients being NATted to the IP of your Access Server. That is normal - the Access Server assumes that in order for the VPN client traffic to go on the Internet, that traffic will need to be NATted, since private IP addresses in a source header on a packet travelling on the Internet will most likely be stripped away since it's not routable. If somehow you have systems set up that will take care of the NATting for the VPN client IP address range later on in your network you could consider disabling NAT.

If you want to you can disable this default NAT functionality of AS:
cd /usr/local/openvpn_as/scripts
./sacli --key "vpn.server.nat" --value "false" ConfigPut
./sacli start

Good luck,
Johan