OpenVPN server behind NAT - private source IP in status/log

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
tuxmartin
OpenVpn Newbie
Posts: 6
Joined: Mon Mar 23, 2020 2:35 pm

OpenVPN server behind NAT - private source IP in status/log

Post by tuxmartin » Mon Jun 05, 2023 2:18 pm

Hello, I have an OpenVPN server in LAN behind NAT.
There is my setup:

Server (public IP) --DNAT--> ovpn server (lan, private ip)
1.2.3.4 (10.0.0.1) --DNAT--> (10.0.0.2)

My clients connect to the server public IP, which DNAT port UDP 1194 to LAN to ovpn virtual with private IP. If I look at the openvpn status/log, all clients have the private IP of my server (10.0.0.1) as source IP. So logs are useless.
How can I fix it? For example HTTP has X-Real-IP/X-Forwarded-For headers which can solve it. But I need to learn how to fix it on OpenVPN.

volleynbike
OpenVpn Newbie
Posts: 13
Joined: Thu Jun 19, 2014 11:14 pm

Re: OpenVPN server behind NAT - private source IP in status/log

Post by volleynbike » Mon Jun 05, 2023 9:46 pm

It sounds like there is more than just DNAT happening. If it were only DNAT, the src ip would still be the client's internet ip. Maybe there is some other NAT command that is also picking up these packets? We do something similar, and our logs show the clients src address.

tuxmartin
OpenVpn Newbie
Posts: 6
Joined: Mon Mar 23, 2020 2:35 pm

Re: OpenVPN server behind NAT - private source IP in status/log

Post by tuxmartin » Tue Jun 06, 2023 12:19 am

It's my firewall on server with public IP:

Code: Select all

iptables -t nat -A PREROUTING -i vmbr0  -p udp --dport 1194 -j DNAT --to-destination 10.0.0.2:1194
iptables -A FORWARD -i vmbr0  -p udp --dport 1194 -d 10.0.0.2 -j ACCEPT
and config of my OpenVPN server in virtual server 10.0.0.2:

Server Config
# This is a comment
port 1194
proto udp
dev-type tun
dev ovpn_xxx
mode server
tls-server
ifconfig 10.99.88.1 255.255.255.0
ifconfig-pool 10.99.88.100 10.99.88.200 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
topology subnet
push "topology subnet"
explicit-exit-notify 1
ca /etc/openvpn/ssl/ca.crt
cert /etc/openvpn/ssl/server.crt
key /etc/openvpn/ssl/server.key
dh /etc/openvpn/ssl/dh.pem
crl-verify /etc/openvpn/ssl/crl.pem
tls-server
tls-version-min 1.2
cipher AES-256-CBC
auth SHA512
client-config-dir /etc/openvpn/ccd

client-to-client
keepalive 10 60
persist-key
persist-tun
status /var/run/openvpn-xxx.status 5
log-append /var/log/openvpn/xxx.com.log
verb 3
duplicate-cn

script-security 2
client-connect /etc/openvpn/connect.sh

push "route-gateway 10.99.88.1"
route-gateway 10.99.88.1
push "route-metric 555"
route-metric 555

Post Reply