No NAT Loopback via OpenVPN Server
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 9
- Joined: Wed Feb 14, 2018 11:23 pm
No NAT Loopback via OpenVPN Server
Hello,
Newbie here. I setup a OpenVPN server on my ASUS RT-AC86U router so I can remotely access devices on my home network such as security cam NVR (TCP 35000), I/O automation device and TED5000 web server (TCP 80) with my iPhone. Everything works great when using the VPN connection and the LAN IP to access these local devices. However I want remote clients to be able to connect to local servers via their WAN IP/port forwarding and NAT loopback. I figured this would be possible by using a layer 2 bridge (TAP) connection. Unfortunately I quickly found out that OpenVPN does not support TAP connections on iOS devices...
Could I configure a static route to make this work?
I setup two servers on my router; one for TCP 1194 (virtual IP:10.8.0.x/24) and the other is UDP 1194 (virtual IP:10.16.0.x/24).
My home network is 192.168.0.x/24
Any help would be greatly appreciated.
Thanks,
Darren
Newbie here. I setup a OpenVPN server on my ASUS RT-AC86U router so I can remotely access devices on my home network such as security cam NVR (TCP 35000), I/O automation device and TED5000 web server (TCP 80) with my iPhone. Everything works great when using the VPN connection and the LAN IP to access these local devices. However I want remote clients to be able to connect to local servers via their WAN IP/port forwarding and NAT loopback. I figured this would be possible by using a layer 2 bridge (TAP) connection. Unfortunately I quickly found out that OpenVPN does not support TAP connections on iOS devices...
Could I configure a static route to make this work?
I setup two servers on my router; one for TCP 1194 (virtual IP:10.8.0.x/24) and the other is UDP 1194 (virtual IP:10.16.0.x/24).
My home network is 192.168.0.x/24
Any help would be greatly appreciated.
Thanks,
Darren
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 9
- Joined: Wed Feb 14, 2018 11:23 pm
Re: No NAT Loopback via OpenVPN Server
HOWTO: Expanding the scope of the VPN to include additional machines
[/quote]
Thanks for the reply however this situation is a little different. Like I mentioned before, the remote clients have no trouble accessing everything on my home network as long as the LAN IP is used. If the client attempts to use the WAN IP via NAT Loopback to access local servers then they cannot connect.
I followed the advice in the article posted about 'advertising' my home subnet in the server-side configuration with the following:
push "route 192.168.0.0 255.255.255.0" - no change, remote client can access local servers via LAN IP but not WAN IP.
I also attempted to 'advertise' my WAN IP:
push "route 209.234.xxx.xxx 255.255.255.255" - no change, remote client can access local servers via LAN IP but not WAN IP.
Since my OpenVPN server is running on the main router, it has the same IP as the gateway and there is no need to route the server-side LAN gateway to the VPN client subnet.
Any additional ideas would be welcome.
Thanks,
Darren
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: No NAT Loopback via OpenVPN Server
loopback to what ?azdeltawye wrote: ↑Fri Feb 16, 2018 5:01 pmIf the client attempts to use the WAN IP via NAT Loopback to access local servers then they cannot connect.
azdeltawye wrote: ↑Fri Feb 16, 2018 5:01 pmfollowed the advice in the article posted about 'advertising' my home subnet in the server-side configuration with the following:
push "route 192.168.0.0 255.255.255.0"
- NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
- You are advised to change your server LAN to a more unique RFC1918 compliant subnet.
For example: 192.168.143.0/24
Don't do that .. your client needs to see this ip outside the tunnel.azdeltawye wrote: ↑Fri Feb 16, 2018 5:01 pmI also attempted to 'advertise' my WAN IP:
push "route 209.234.xxx.xxx 255.255.255.255"
Please see:
HOWTO: Request Help ! {2}
-
- OpenVpn Newbie
- Posts: 9
- Joined: Wed Feb 14, 2018 11:23 pm
Re: No NAT Loopback via OpenVPN Server
NAT Loopback is where clients on a local lan access servers on that same lan by using the WAN IP with port forwarding, also known as NAT hairpinning. I want to retain 'back door' access to local servers by using port forwarding with IP inbound filtering. The iOS apps I use to access said servers does not have the option to use multiple IP address so I am forced to only use the WAN IP to access.TinCanTech wrote: ↑Fri Feb 16, 2018 6:17 pmloopback to what ?azdeltawye wrote: ↑Fri Feb 16, 2018 5:01 pmIf the client attempts to use the WAN IP via NAT Loopback to access local servers then they cannot connect.
- NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Yes. Thanks. I changed third octet of local lan to something more unique.
Correct. Please reference above; Server 1 virtual IP is 10.8.0.0/24 and Server 2 virtual IP is 10.16.0.0/24TinCanTech wrote: ↑Fri Feb 16, 2018 6:17 pmNever use 192.168.0.0/24 or 192.168.1.0/24 (or other common subnets) for your OpenVPN Server LAN
Yes. Thanks.I changed third octet of local lan to something more unique.TinCanTech wrote: ↑Fri Feb 16, 2018 6:17 pm
- You are advised to change your server LAN to a more unique RFC1918 compliant subnet.
For example: 192.168.143.0/24
Thanks. I took that out of the server setup.TinCanTech wrote: ↑Fri Feb 16, 2018 6:17 pmDon't do that .. your client needs to see this ip outside the tunnel.azdeltawye wrote: ↑Fri Feb 16, 2018 5:01 pmI also attempted to 'advertise' my WAN IP:
push "route 209.234.xxx.xxx 255.255.255.255"
Please see:
HOWTO: Request Help ! {2}
[/quote]
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: No NAT Loopback via OpenVPN Server
Are you sure your router can do this ? See your router manual ..azdeltawye wrote: ↑Fri Feb 16, 2018 8:48 pmNAT Loopback is where clients on a local lan access servers on that same lan by using the WAN IP with port forwarding, also known as NAT hairpinning
Please see:
HOWTO: Request Help !
-
- OpenVpn Newbie
- Posts: 9
- Joined: Wed Feb 14, 2018 11:23 pm
Re: No NAT Loopback via OpenVPN Server
Yes.TinCanTech wrote: ↑Fri Feb 16, 2018 9:07 pmAre you sure your router can do this ? See your router manual ..azdeltawye wrote: ↑Fri Feb 16, 2018 8:48 pmNAT Loopback is where clients on a local lan access servers on that same lan by using the WAN IP with port forwarding, also known as NAT hairpinning
Please see:
HOWTO: Request Help !
When at home on the wifi my iPhone successfully connects to all local severs via their WAN IP through port forwarding. I did have to add the local subnet to the IP filter whitelist to make it work though..
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: No NAT Loopback via OpenVPN Server
Really ..azdeltawye wrote: ↑Fri Feb 16, 2018 9:24 pmWhen at home on the wifi my iPhone successfully connects to all local severs via their WAN IP through port forwarding. I did have to add the local subnet to the IP filter whitelist to make it work though..
Please see:
HOWTO: Request Help !
-
- OpenVpn Newbie
- Posts: 9
- Joined: Wed Feb 14, 2018 11:23 pm
Re: No NAT Loopback via OpenVPN Server
Really ..
[/quote]
Yes!
So you can see my dilemma...
My NVR iPhone app allows multiple logins which enables me to easily toggle between LAN or WAN IP; so when I am away from home and I VPN into my network I just toggle to LAN IP. But the other server apps are not as slick and I have to manually edit the IP if I want to change it from LAN to WAN or vise versa.
This is normally not an issue because 99% of the time I VPN into my home network to access these servers. But for reliability sake I have the port forwarding and IP filtering enabled which allows access to these home servers from a specified whitelist of public IP addresses. And I don't want to have to edit my app IP settings on the fly if for some reason I cant VPN into my home network..
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: No NAT Loopback via OpenVPN Server
-
- OpenVpn Newbie
- Posts: 9
- Joined: Wed Feb 14, 2018 11:23 pm
Re: No NAT Loopback via OpenVPN Server
The dilemma is that I only want to use the WAN IP to access my NVR and other local web servers but this does not work when I VPN into my home network.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: No NAT Loopback via OpenVPN Server
Please see:
HOWTO: Request Help !
If you *can* access your server without the vpn then do so ..
Perhaps you are redirecting your client gateway ?
HOWTO: Request Help !
If you *can* access your server without the vpn then do so ..
Perhaps you are redirecting your client gateway ?
-
- OpenVpn Newbie
- Posts: 9
- Joined: Wed Feb 14, 2018 11:23 pm
Re: No NAT Loopback via OpenVPN Server
VPN access is preferred because of the secure connection. Accessing via port forwarding is much less desirable, especially my servers which only do TCP port 80. It should only be used as a last resort...TinCanTech wrote: ↑Fri Feb 16, 2018 10:09 pmPlease see:
HOWTO: Request Help !
If you *can* access your server without the vpn then do so ..
Perhaps you are redirecting your client gateway ?
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: No NAT Loopback via OpenVPN Server
Have you tried TAP mode ?
-
- OpenVpn Newbie
- Posts: 9
- Joined: Wed Feb 14, 2018 11:23 pm
Re: No NAT Loopback via OpenVPN Server
TAP mode is not supported with iOS.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: No NAT Loopback via OpenVPN Server
Even though you have not documented your question as per the request:
If you want to use your server WAN IP for server side resources then you will have to do this:
Edit:
This will not work either because you will end up forwarding your VPN packets through the VPN.
Only Linux can do what you want by using Policy Based Routing.
I believe I have figured out what you really mean ..
You cannot access your server WAN IP if you use --redirect-gateway ..azdeltawye wrote: ↑Fri Feb 16, 2018 10:02 pmThe dilemma is that I only want to use the WAN IP to access my NVR and other local web servers but this does not work when I VPN into my home network
If you want to use your server WAN IP for server side resources then you will have to do this:
Good luck.TinCanTech wrote: ↑Thu Feb 15, 2018 12:24 amHOWTO: Expanding the scope of the VPN to include additional machines
Edit:
This will not work either because you will end up forwarding your VPN packets through the VPN.
Only Linux can do what you want by using Policy Based Routing.
-
- OpenVpn Newbie
- Posts: 9
- Joined: Wed Feb 14, 2018 11:23 pm
Re: No NAT Loopback via OpenVPN Server
Thanks for the info!TinCanTech wrote: ↑Mon Feb 19, 2018 4:13 pm...
Edit:
Only Linux can do what you want by using Policy Based Routing.
I should be able to implement the required rules in the iptables or may need to write a script. I am running third-party asuswrt-merlin firmware in my router which allows custom scripts in the JFFs partition.
THanks again!!
Darren