Need help/opinion with 1:1 NAT setup

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
tke13
OpenVpn Newbie
Posts: 1
Joined: Wed Jul 20, 2022 6:48 am

Need help/opinion with 1:1 NAT setup

Post by tke13 » Wed Jul 20, 2022 7:10 am

Hello,

I have got the following situation:
- There is a OpenVPN Server in AWS (private network: 172.24.0.0/24)
- There is a OpenVPN Client on a remote site-1 (private network 192.168.0.0/24)
- There is a OpenVPN Client on a remote site-2 (private network 192.168.0.0/24)
- There is an application within AWS (IP: 172.24.0.10)
- There is a server-1 on remote site-1 (IP: 192.168.0.10)
- There is a server-2 on remote site-2 (IP: 192.168.0.10)
- FW on remote site cant be accessed/configured
- Application needs to access server-1 on remote site-1
- Application needs to access server-2 on remote site-2

Now with just one remote site i could use plain routing to make this work. (reverse vpn)
However if i want to add a second remote site-2 with same ip range as remote site-1 (192.168.0.0) and application needed to access both sites this will lead to a routing conflict.
I have searched and read something about 1:1 NAT - so that for example i can nat 192.168.0.0 on remote site-2 to 10.10.0.0/24 so the application on AWS can reach server-2 on remote site-2 with IP 10.10.0.10 (instead of 192.168.0.10)

Is this correct?
Are there any information how to set this up?

kind regards,
tke

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Need help/opinion with 1:1 NAT setup

Post by openvpn_inc » Fri Jul 22, 2022 2:31 pm

Hi tke,

Opinion? Yuck! It is absolutely not correct.

How (and more importantly, WHY) do you expect to be able to route from one 192.168.0.0/24 to another, different 192.168.0.0/24?
tke13 wrote:
Wed Jul 20, 2022 7:10 am
- FW on remote site cant be accessed/configured
Why not? This is garbage. Consider replacing it with something not braindead. But anyway, you CAN change the subnet on the other site. Do that.

Web searches often have the problem you found: someone who knows very little about a subject shares their thoughts on how to address an issue. 1:1 NAT is a very bad idea. IP routing is simple and it works, as long as routers on each side of the VPN tunnel know to go through the tunnel to get to the remote site. Likewise the VPN server needs to know where to route each network.

If you are still constrained to do things the wrong way, the best hope for you is the OpenVPN Cloud service. It actually offers the feature of being able to route from one overlapping network segment to another. It does this through DNS tricks for the VPN clients and behind-the-scenes routing magic.

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Killer2600
OpenVpn Newbie
Posts: 2
Joined: Sat Apr 29, 2023 6:03 pm

Re: Need help/opinion with 1:1 NAT setup

Post by Killer2600 » Sat Apr 29, 2023 6:08 pm

1:1 NAT is a very bad idea
Why is it a very bad idea to implement a feature that OpenVPN itself has built-in (client-nat)?

Post Reply