No NAT Loopback via OpenVPN Server

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
azdeltawye
OpenVpn Newbie
Posts: 9
Joined: Wed Feb 14, 2018 11:23 pm

No NAT Loopback via OpenVPN Server

Post by azdeltawye » Wed Feb 14, 2018 11:56 pm

Hello,
Newbie here. I setup a OpenVPN server on my ASUS RT-AC86U router so I can remotely access devices on my home network such as security cam NVR (TCP 35000), I/O automation device and TED5000 web server (TCP 80) with my iPhone. Everything works great when using the VPN connection and the LAN IP to access these local devices. However I want remote clients to be able to connect to local servers via their WAN IP/port forwarding and NAT loopback. I figured this would be possible by using a layer 2 bridge (TAP) connection. Unfortunately I quickly found out that OpenVPN does not support TAP connections on iOS devices...

Could I configure a static route to make this work?

I setup two servers on my router; one for TCP 1194 (virtual IP:10.8.0.x/24) and the other is UDP 1194 (virtual IP:10.16.0.x/24).
My home network is 192.168.0.x/24

Any help would be greatly appreciated.
Thanks,
Darren

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5095
Joined: Fri Jun 03, 2016 1:17 pm

Re: No NAT Loopback via OpenVPN Server

Post by TinCanTech » Thu Feb 15, 2018 12:24 am

azdeltawye wrote:
Wed Feb 14, 2018 11:56 pm
Could I configure a static route to make this work?
HOWTO: Expanding the scope of the VPN to include additional machines

azdeltawye
OpenVpn Newbie
Posts: 9
Joined: Wed Feb 14, 2018 11:23 pm

Re: No NAT Loopback via OpenVPN Server

Post by azdeltawye » Fri Feb 16, 2018 5:01 pm

TinCanTech wrote:
Thu Feb 15, 2018 12:24 am
...
HOWTO: Expanding the scope of the VPN to include additional machines
[/quote]

Thanks for the reply however this situation is a little different. Like I mentioned before, the remote clients have no trouble accessing everything on my home network as long as the LAN IP is used. If the client attempts to use the WAN IP via NAT Loopback to access local servers then they cannot connect.

I followed the advice in the article posted about 'advertising' my home subnet in the server-side configuration with the following:
push "route 192.168.0.0 255.255.255.0" - no change, remote client can access local servers via LAN IP but not WAN IP.
I also attempted to 'advertise' my WAN IP:
push "route 209.234.xxx.xxx 255.255.255.255" - no change, remote client can access local servers via LAN IP but not WAN IP.

Since my OpenVPN server is running on the main router, it has the same IP as the gateway and there is no need to route the server-side LAN gateway to the VPN client subnet.

Any additional ideas would be welcome.

Thanks,
Darren

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5095
Joined: Fri Jun 03, 2016 1:17 pm

Re: No NAT Loopback via OpenVPN Server

Post by TinCanTech » Fri Feb 16, 2018 6:17 pm

azdeltawye wrote:
Fri Feb 16, 2018 5:01 pm
If the client attempts to use the WAN IP via NAT Loopback to access local servers then they cannot connect.
loopback to what ?

azdeltawye wrote:
Fri Feb 16, 2018 5:01 pm
followed the advice in the article posted about 'advertising' my home subnet in the server-side configuration with the following:
push "route 192.168.0.0 255.255.255.0"
  • NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
:arrow: Never use 192.168.0.0/24 or 192.168.1.0/24 (or other common subnets) for your OpenVPN Server LAN :!:
  • You are advised to change your server LAN to a more unique RFC1918 compliant subnet.
    For example: 192.168.143.0/24
azdeltawye wrote:
Fri Feb 16, 2018 5:01 pm
I also attempted to 'advertise' my WAN IP:
push "route 209.234.xxx.xxx 255.255.255.255"
Don't do that .. your client needs to see this ip outside the tunnel.

Please see:
HOWTO: Request Help ! {2}

azdeltawye
OpenVpn Newbie
Posts: 9
Joined: Wed Feb 14, 2018 11:23 pm

Re: No NAT Loopback via OpenVPN Server

Post by azdeltawye » Fri Feb 16, 2018 8:48 pm

TinCanTech wrote:
Fri Feb 16, 2018 6:17 pm
azdeltawye wrote:
Fri Feb 16, 2018 5:01 pm
If the client attempts to use the WAN IP via NAT Loopback to access local servers then they cannot connect.
loopback to what ?
NAT Loopback is where clients on a local lan access servers on that same lan by using the WAN IP with port forwarding, also known as NAT hairpinning. I want to retain 'back door' access to local servers by using port forwarding with IP inbound filtering. The iOS apps I use to access said servers does not have the option to use multiple IP address so I am forced to only use the WAN IP to access.

TinCanTech wrote:
Fri Feb 16, 2018 6:17 pm
  • NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
[/quote]
Yes. Thanks. I changed third octet of local lan to something more unique.

TinCanTech wrote:
Fri Feb 16, 2018 6:17 pm
:arrow: Never use 192.168.0.0/24 or 192.168.1.0/24 (or other common subnets) for your OpenVPN Server LAN :!:
Correct. Please reference above; Server 1 virtual IP is 10.8.0.0/24 and Server 2 virtual IP is 10.16.0.0/24
TinCanTech wrote:
Fri Feb 16, 2018 6:17 pm
  • You are advised to change your server LAN to a more unique RFC1918 compliant subnet.
    For example: 192.168.143.0/24
Yes. Thanks.I changed third octet of local lan to something more unique.
TinCanTech wrote:
Fri Feb 16, 2018 6:17 pm
azdeltawye wrote:
Fri Feb 16, 2018 5:01 pm
I also attempted to 'advertise' my WAN IP:
push "route 209.234.xxx.xxx 255.255.255.255"
Don't do that .. your client needs to see this ip outside the tunnel.
Thanks. I took that out of the server setup.

Please see:
HOWTO: Request Help ! {2}
[/quote]

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5095
Joined: Fri Jun 03, 2016 1:17 pm

Re: No NAT Loopback via OpenVPN Server

Post by TinCanTech » Fri Feb 16, 2018 9:07 pm

azdeltawye wrote:
Fri Feb 16, 2018 8:48 pm
NAT Loopback is where clients on a local lan access servers on that same lan by using the WAN IP with port forwarding, also known as NAT hairpinning
Are you sure your router can do this ? See your router manual ..



Please see:
HOWTO: Request Help !

azdeltawye
OpenVpn Newbie
Posts: 9
Joined: Wed Feb 14, 2018 11:23 pm

Re: No NAT Loopback via OpenVPN Server

Post by azdeltawye » Fri Feb 16, 2018 9:24 pm

TinCanTech wrote:
Fri Feb 16, 2018 9:07 pm
azdeltawye wrote:
Fri Feb 16, 2018 8:48 pm
NAT Loopback is where clients on a local lan access servers on that same lan by using the WAN IP with port forwarding, also known as NAT hairpinning
Are you sure your router can do this ? See your router manual ..

Please see:
HOWTO: Request Help !
Yes.
When at home on the wifi my iPhone successfully connects to all local severs via their WAN IP through port forwarding. I did have to add the local subnet to the IP filter whitelist to make it work though..

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5095
Joined: Fri Jun 03, 2016 1:17 pm

Re: No NAT Loopback via OpenVPN Server

Post by TinCanTech » Fri Feb 16, 2018 9:30 pm

azdeltawye wrote:
Fri Feb 16, 2018 9:24 pm
When at home on the wifi my iPhone successfully connects to all local severs via their WAN IP through port forwarding. I did have to add the local subnet to the IP filter whitelist to make it work though..
Really ..


Please see:
HOWTO: Request Help !

azdeltawye
OpenVpn Newbie
Posts: 9
Joined: Wed Feb 14, 2018 11:23 pm

Re: No NAT Loopback via OpenVPN Server

Post by azdeltawye » Fri Feb 16, 2018 9:48 pm

TinCanTech wrote:
Fri Feb 16, 2018 9:30 pm
Really ..
[/quote]

Yes!
So you can see my dilemma...

My NVR iPhone app allows multiple logins which enables me to easily toggle between LAN or WAN IP; so when I am away from home and I VPN into my network I just toggle to LAN IP. But the other server apps are not as slick and I have to manually edit the IP if I want to change it from LAN to WAN or vise versa.

This is normally not an issue because 99% of the time I VPN into my home network to access these servers. But for reliability sake I have the port forwarding and IP filtering enabled which allows access to these home servers from a specified whitelist of public IP addresses. And I don't want to have to edit my app IP settings on the fly if for some reason I cant VPN into my home network..

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5095
Joined: Fri Jun 03, 2016 1:17 pm

Re: No NAT Loopback via OpenVPN Server

Post by TinCanTech » Fri Feb 16, 2018 9:50 pm

azdeltawye wrote:
Fri Feb 16, 2018 9:48 pm
So you can see my dilemma...
No ..


Please see:
HOWTO: Request Help !

azdeltawye
OpenVpn Newbie
Posts: 9
Joined: Wed Feb 14, 2018 11:23 pm

Re: No NAT Loopback via OpenVPN Server

Post by azdeltawye » Fri Feb 16, 2018 10:02 pm

TinCanTech wrote:
Fri Feb 16, 2018 9:50 pm
azdeltawye wrote:
Fri Feb 16, 2018 9:48 pm
So you can see my dilemma...
No ..
The dilemma is that I only want to use the WAN IP to access my NVR and other local web servers but this does not work when I VPN into my home network.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5095
Joined: Fri Jun 03, 2016 1:17 pm

Re: No NAT Loopback via OpenVPN Server

Post by TinCanTech » Fri Feb 16, 2018 10:09 pm

Please see:
HOWTO: Request Help !

If you *can* access your server without the vpn then do so ..

Perhaps you are redirecting your client gateway ?

azdeltawye
OpenVpn Newbie
Posts: 9
Joined: Wed Feb 14, 2018 11:23 pm

Re: No NAT Loopback via OpenVPN Server

Post by azdeltawye » Fri Feb 16, 2018 11:42 pm

TinCanTech wrote:
Fri Feb 16, 2018 10:09 pm
Please see:
HOWTO: Request Help !

If you *can* access your server without the vpn then do so ..

Perhaps you are redirecting your client gateway ?
VPN access is preferred because of the secure connection. Accessing via port forwarding is much less desirable, especially my servers which only do TCP port 80. It should only be used as a last resort...

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5095
Joined: Fri Jun 03, 2016 1:17 pm

Re: No NAT Loopback via OpenVPN Server

Post by TinCanTech » Sat Feb 17, 2018 12:41 am

Have you tried TAP mode ?

azdeltawye
OpenVpn Newbie
Posts: 9
Joined: Wed Feb 14, 2018 11:23 pm

Re: No NAT Loopback via OpenVPN Server

Post by azdeltawye » Mon Feb 19, 2018 2:46 pm

TinCanTech wrote:
Sat Feb 17, 2018 12:41 am
Have you tried TAP mode ?
TAP mode is not supported with iOS.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5095
Joined: Fri Jun 03, 2016 1:17 pm

Re: No NAT Loopback via OpenVPN Server

Post by TinCanTech » Mon Feb 19, 2018 4:13 pm

Even though you have not documented your question as per the request:
TinCanTech wrote:
Fri Feb 16, 2018 10:09 pm
Please see:
HOWTO: Request Help !
I believe I have figured out what you really mean ..
azdeltawye wrote:
Fri Feb 16, 2018 10:02 pm
The dilemma is that I only want to use the WAN IP to access my NVR and other local web servers but this does not work when I VPN into my home network
You cannot access your server WAN IP if you use --redirect-gateway ..

If you want to use your server WAN IP for server side resources then you will have to do this:
TinCanTech wrote:
Thu Feb 15, 2018 12:24 am
azdeltawye wrote:
Wed Feb 14, 2018 11:56 pm
Could I configure a static route to make this work?
HOWTO: Expanding the scope of the VPN to include additional machines
Good luck.

Edit:
This will not work either because you will end up forwarding your VPN packets through the VPN.
Only Linux can do what you want by using Policy Based Routing.

azdeltawye
OpenVpn Newbie
Posts: 9
Joined: Wed Feb 14, 2018 11:23 pm

Re: No NAT Loopback via OpenVPN Server

Post by azdeltawye » Tue Feb 20, 2018 3:10 pm

TinCanTech wrote:
Mon Feb 19, 2018 4:13 pm
...
Edit:
Only Linux can do what you want by using Policy Based Routing.
Thanks for the info!

I should be able to implement the required rules in the iptables or may need to write a script. I am running third-party asuswrt-merlin firmware in my router which allows custom scripts in the JFFs partition.

THanks again!!

Darren

Post Reply