Hi, I have Access Server behind firewall/web filtering appliance.
We have web filtering rules that applies to all the users/workstations except to the servers which get unfiltered access.
Access Server setup with "Yes using Routing" option. It has also been setup to tunnel the network & internet traffic to the company LAN.
For some reason vpn client internet access is not getting filtered, traffic on web filtering system see them as coming from the Access Server (like in NAT mode). Have I not setup something correctly ? Any help would be much appreciated, thank you.
VPN client internet traffic originates with Access Server IP
-
- OpenVpn Newbie
- Posts: 1
- Joined: Tue Jan 26, 2021 4:42 pm
- openvpn_inc
- OpenVPN Inc.
- Posts: 1332
- Joined: Tue Feb 16, 2021 10:41 am
Re: VPN client internet traffic originates with Access Server IP
Hello,
From your description it is not 100% clear to me what you were trying to achieve exactly, but what I understood from you is that you gave access to some resources in Access Server via 'use routing', but you are seeing Internet traffic from your VPN clients being NATted to the IP of your Access Server. That is normal - the Access Server assumes that in order for the VPN client traffic to go on the Internet, that traffic will need to be NATted, since private IP addresses in a source header on a packet travelling on the Internet will most likely be stripped away since it's not routable. If somehow you have systems set up that will take care of the NATting for the VPN client IP address range later on in your network you could consider disabling NAT.
If you want to you can disable this default NAT functionality of AS:
cd /usr/local/openvpn_as/scripts
./sacli --key "vpn.server.nat" --value "false" ConfigPut
./sacli start
Good luck,
Johan
From your description it is not 100% clear to me what you were trying to achieve exactly, but what I understood from you is that you gave access to some resources in Access Server via 'use routing', but you are seeing Internet traffic from your VPN clients being NATted to the IP of your Access Server. That is normal - the Access Server assumes that in order for the VPN client traffic to go on the Internet, that traffic will need to be NATted, since private IP addresses in a source header on a packet travelling on the Internet will most likely be stripped away since it's not routable. If somehow you have systems set up that will take care of the NATting for the VPN client IP address range later on in your network you could consider disabling NAT.
If you want to you can disable this default NAT functionality of AS:
cd /usr/local/openvpn_as/scripts
./sacli --key "vpn.server.nat" --value "false" ConfigPut
./sacli start
Good luck,
Johan

Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support