client-nat - is this solution realistic?

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
kneel63
OpenVpn Newbie
Posts: 2
Joined: Wed Jan 09, 2019 11:06 pm

client-nat - is this solution realistic?

Post by kneel63 » Wed Jan 09, 2019 11:23 pm

I am trying to use the client-nat functions and not having much luck.
Scenario is that client is running behind a NATed connection with a dynamic IP. The IP assigned to the WAN interface can end up in the same IP space as the routed private network (in 10./8 space).
So my thought is to DNAT outgoing traffic from the LAN to some unused space, then route in linux based on the modified address, which sends the packet down the tunnel. With client-nat config in OpenVPN client, I should be able to DNAT this back to the "correct" address.
So, eg 10.0.0.1 DNAT in lunix pre-routing to, say, 100.64.0.1 (shared Ip space, so no conflict). Then OpenVPN client uses client-nat config to DNAT on packet entering tunnel and "undo" the first NAT (100.64.0.1 back to 10.0.0.1). This means, packets on the LAN are pushed down the tunnel with the same IPs as original, but the DNAT brackets the kernel routing decision to "hide" the WAN IP conflict, and we are all good.

Should be, right?

Client is showing this:
20190110 06:25:25 PUSH: Received control message: 'PUSH_REPLY keepalive 60 180 route 10.2.3.0 route-gateway 100.64.1.1 topology subnet ping 60 ping-restart 240 redirect-gateway client-nat snat 100.65.0.0/255.255.0.0 10.0.0.0 client-nat dnat 10.0.0.0/255.255.0.0 100.65.0.0 ifconfig 100.64.1.2 255.255.255.0'
20190110 06:25:25 N Options error: option 'keepalive' cannot be used in this context
20190110 06:25:25 N Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:8: client-nat (2.2.1)
20190110 06:25:25 N Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:9: client-nat (2.2.1)

I tried with and without the "/" (a space instead), same result.

Is my client too old? (it's an embedded device, so hard to upgrade, or I would have already!)
Or is my client-nat pushed config line wrong?

And/or do I have the wrong idea of where/how client-nat works?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5441
Joined: Fri Jun 03, 2016 1:17 pm

Re: client-nat - is this solution realistic?

Post by TinCanTech » Thu Jan 10, 2019 12:13 am

kneel63 wrote:
Wed Jan 09, 2019 11:23 pm
I tried with and without the "/" (a space instead), same result.
It is a space as the manual states.
kneel63 wrote:
Wed Jan 09, 2019 11:23 pm
Is my client too old?
Don't know .. 2.2.1 is old: 08-May-2013 .. and it's not supported.

viewtopic.php?f=30&t=22603

kneel63
OpenVpn Newbie
Posts: 2
Joined: Wed Jan 09, 2019 11:06 pm

Re: client-nat - is this solution realistic?

Post by kneel63 » Thu Jan 10, 2019 12:30 am

Thanks for the reply.
I actually tried the space first, then the slash, as the manual is somewhat unclear (synopsis is fine, detail description implies maybe a slash, so I tried it)
OK, I will dig around for 2.2.1 feature list - maybe I need to get embedded device firmware devs to update if I want this to work.

In any case, I would appreciate a "yes, that is how it's [client-nat] supposed to work" or "You are a moron, it does THIS..." :-)

Thanks.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5441
Joined: Fri Jun 03, 2016 1:17 pm

Re: client-nat - is this solution realistic?

Post by TinCanTech » Thu Jan 10, 2019 1:03 am

The fact that you have read enough of the manual to try --client-nat is impressive (to me) ..

If you used a currently supported version of openvpn we would not be having this conversation.
(because you would have figured it out by now ..)

:twisted:

Post Reply