Hello, I have an OpenVPN server in LAN behind NAT.
There is my setup:
Server (public IP) --DNAT--> ovpn server (lan, private ip)
1.2.3.4 (10.0.0.1) --DNAT--> (10.0.0.2)
My clients connect to the server public IP, which DNAT port UDP 1194 to LAN to ovpn virtual with private IP. If I look at the openvpn status/log, all clients have the private IP of my server (10.0.0.1) as source IP. So logs are useless.
How can I fix it? For example HTTP has X-Real-IP/X-Forwarded-For headers which can solve it. But I need to learn how to fix it on OpenVPN.
OpenVPN server behind NAT - private source IP in status/log
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
tuxmartin
- OpenVpn Newbie
- Posts: 6
- Joined: Mon Mar 23, 2020 2:35 pm
-
volleynbike
- OpenVpn Newbie
- Posts: 13
- Joined: Thu Jun 19, 2014 11:14 pm
Re: OpenVPN server behind NAT - private source IP in status/log
It sounds like there is more than just DNAT happening. If it were only DNAT, the src ip would still be the client's internet ip. Maybe there is some other NAT command that is also picking up these packets? We do something similar, and our logs show the clients src address.
-
tuxmartin
- OpenVpn Newbie
- Posts: 6
- Joined: Mon Mar 23, 2020 2:35 pm
Re: OpenVPN server behind NAT - private source IP in status/log
It's my firewall on server with public IP:
and config of my OpenVPN server in virtual server 10.0.0.2:
Code: Select all
iptables -t nat -A PREROUTING -i vmbr0 -p udp --dport 1194 -j DNAT --to-destination 10.0.0.2:1194
iptables -A FORWARD -i vmbr0 -p udp --dport 1194 -d 10.0.0.2 -j ACCEPT
Server Config
# This is a comment
port 1194
proto udp
dev-type tun
dev ovpn_xxx
mode server
tls-server
ifconfig 10.99.88.1 255.255.255.0
ifconfig-pool 10.99.88.100 10.99.88.200 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
topology subnet
push "topology subnet"
explicit-exit-notify 1
ca /etc/openvpn/ssl/ca.crt
cert /etc/openvpn/ssl/server.crt
key /etc/openvpn/ssl/server.key
dh /etc/openvpn/ssl/dh.pem
crl-verify /etc/openvpn/ssl/crl.pem
tls-server
tls-version-min 1.2
cipher AES-256-CBC
auth SHA512
client-config-dir /etc/openvpn/ccd
client-to-client
keepalive 10 60
persist-key
persist-tun
status /var/run/openvpn-xxx.status 5
log-append /var/log/openvpn/xxx.com.log
verb 3
duplicate-cn
script-security 2
client-connect /etc/openvpn/connect.sh
push "route-gateway 10.99.88.1"
route-gateway 10.99.88.1
push "route-metric 555"
route-metric 555
port 1194
proto udp
dev-type tun
dev ovpn_xxx
mode server
tls-server
ifconfig 10.99.88.1 255.255.255.0
ifconfig-pool 10.99.88.100 10.99.88.200 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
topology subnet
push "topology subnet"
explicit-exit-notify 1
ca /etc/openvpn/ssl/ca.crt
cert /etc/openvpn/ssl/server.crt
key /etc/openvpn/ssl/server.key
dh /etc/openvpn/ssl/dh.pem
crl-verify /etc/openvpn/ssl/crl.pem
tls-server
tls-version-min 1.2
cipher AES-256-CBC
auth SHA512
client-config-dir /etc/openvpn/ccd
client-to-client
keepalive 10 60
persist-key
persist-tun
status /var/run/openvpn-xxx.status 5
log-append /var/log/openvpn/xxx.com.log
verb 3
duplicate-cn
script-security 2
client-connect /etc/openvpn/connect.sh
push "route-gateway 10.99.88.1"
route-gateway 10.99.88.1
push "route-metric 555"
route-metric 555