Internet over VPN without masquerading using routing

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
lordbobcup
OpenVpn Newbie
Posts: 2
Joined: Wed Sep 21, 2011 1:26 am

Internet over VPN without masquerading using routing

Post by lordbobcup » Wed Jul 28, 2021 10:39 pm

Hi, I have a fairly established VPN running in split-tunneling mode. Currently all the LAN to VPN and VPN to LAN routing is working exactly as I intend it to work. I now however have a requirement to disable split-tunneling and want to be redirecting the clients default gateway across the VPN. If I enable

Code: Select all

push redirect-gateway def1
to the client, they lose internet access, the initial traceroute takes the traffic across the VPN as expected, however it appears that the VPN server cannot correctly route the traffic. Because the network is configured in routed mode and the server is not the default gateway I would have expected this to work. I then attempted the NatHack, using

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
and everything started working as expected HOWEVER, this is not the behaviour I want or need. We cannot be rewriting the packets headers on the VPN server as that screws up all access logging on other devices throughout the network. I would have expected because the VPN can route all of the other traffic to and from the VPN there would be no problems with internet traffic, just like all other VPN traffic it would be pushed to the VPN servers default gateway and then handled by the existing network without any need for NAT.
What I cant understand is why it works fine with NAT on the VPN server, but doesn't work without it. The router has routes to forward returned traffic back to the 172.27.5.0/24 via 172.27.2.2 and that works as the other subnets on the router are returned fine. I would have expected the VPN server to forward the traffic to the router for routing as normal, it would NAT It and send it to the internet as normal and return the traffic back to the VPN server like normal to be encrypted and transmitted back to the client, but it seems there is something funky happening in the VPN server itself. can anyone shed any light as to why it _has_ to have masquerading?

Server is ubuntu linux, currently not running any iptables/ufw to get the existing networking going, everything is handled by the router.
Server Config

local 172.27.2.2
port 10000
proto udp
dev tun
ca ca.crt
cert vpn.crt
key vpn.key # This file should be kept secret
dh dh2048.pem
topology subnet
server 172.27.5.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 172.20.0.0 255.255.255.0"
push "route 172.20.1.0 255.255.255.0"
push "route 172.20.2.0 255.255.255.0"
push "route 172.27.2.0 255.255.255.0"
push "route 192.168.20.0 255.255.255.0"
push "dhcp-option DNS 172.20.0.5"
push "dhcp-option DNS 172.20.0.6"
push "dhcp-option DOMAIN xx.com"
keepalive 10 120
cipher AES-128-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-fullaccess-status.log
log-append openvpn-fullaccess.log
verb 4
explicit-exit-notify 1
client-cert-not-required
username-as-common-name


Code: Select all

                                                 ┌───────────────────┐
                               (INTERNET)        │ L3 Router         │
                               Public IP         │                   │
                                                 │                   │
                                                 │                   │
                                                 └────────┬──────────┘                   ┌─────────────────┐
                                                          │                              │ LAN             │
                                                          │                              │ 172.20.0.0/24   │
                                                          ├──────────────────────────────┤ SVI .1          │
┌───────────────┐                                         │                              └─────────────────┘
│ VPN Client    │                                         │
│ 172.27.5.5/24 │                                         │
│               │                                         │
└───────────────┘                                         │
                                                          │                              ┌─────────────────┐
                                                          │                              │ LAN             │
                                                          ├──────────────────────────────┤ 172.20.1.0/24   │
                                                          │                              │ SVI .1          │
                                                          │                              └─────────────────┘
                                                          │
                                                          │
                                                          │                              ┌─────────────────┐      ┌─────────────────┐
                                                          │                              │ DMZ             │      │ VPN Server      │
                                                          ├──────────────────────────────┤ 172.27.2.0/26   ├──────┤ 172.27.2.2/24   │
                                                          │                              │ SVI .1          │      │ DG: 172.27.2.1  │
                                                          │                              └─────────────────┘      └───────────┬─────┘
                                                          │                                                                   │
                                                          │                                                                   │
                                                          │                              ┌─────────────────┐                ┌─┴────────────────┐
                                                          │                              │ DMZ             │                │ VPN tunnel Subnet│
                                                          └──────────────────────────────┤ 172.27.2.64/26  │                │ 172.27.5.0/24    │
                                                                                         │ SVI .1          │                │ TUN .1           │
                                                                                         └─────────────────┘                └──────────────────┘

Post Reply