Client and Server on the same machine to bypass NAT

[caedium]

I need to connect to a LAN behind a NAT over which I have no control, so I came up with this solution: exposing a OpenVPN private server through a commercial VPN static IP.
A host in the LAN acts as the OpenVPN server listening on a port forwarded from the public static IP of the commercial VPN, and runs a OpenVPN client connected to the commercial server with a static IP

On host 10.0.0.56
my server OpenVPN conf

Code: Select all

	;local 10.117.226.39
	port 18914
	proto udp
	dev tun
	ca ca.crt
	cert server.crt
	key server.key
	dh dh.pem
	auth SHA512
	tls-crypt tc.key
	topology subnet
	server 10.8.0.0 255.255.255.0
	push "route 10.0.0.0 255.255.255.0"
	push "redirect-gateway def1 bypass-dhcp"
	ifconfig-pool-persist ipp.txt
	push "dhcp-option DNS 1.1.1.1"
	push "dhcp-option DNS 1.0.0.1"
	keepalive 10 120
	cipher AES-256-CBC
	user nobody
	group nogroup
	persist-key
	persist-tun
	verb 3
	crl-verify crl.pem
	explicit-exit-notify

Standard configuration, I just added the "push route" to instruct clients about the 10.0.0.0 subnet

Again on host 10.0.0.56
commercial VPN client.conf

Code: Select all

client
dev tun
proto udp
remote <obscured_public_static_ip> 443
nobind
auth-user-pass
resolv-retry infinite
cipher AES-256-GCM
ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM
auth SHA512
compress lzo
verb 2
mute-replay-warnings
remote-cert-tls server
persist-key
persist-tun

remote client connecting from the internet
my client OpenVPN conf

Code: Select all

dev tun
	proto udp
	remote <obscured_public_static_ip> 18914
	resolv-retry infinite
	nobind
	persist-key
	persist-tun
	remote-cert-tls server
	auth SHA512
	cipher AES-256-CBC
	ignore-unknown-option block-outside-dns
	block-outside-dns
	verb 3

Configured also:
- a static route on LAN gateway
for net 10.8.0.0/24 destination 10.0.0.56 (LAN ip of the OpenVPN server)
- ip_forward = 1 on 10.0.0.56 host

server 10.0.0.56 route table

Code: Select all

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.117.226.1    128.0.0.0       UG    0      0        0 tun0
0.0.0.0         10.0.0.1        0.0.0.0         UG    0      0        0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun1
10.117.226.0    0.0.0.0         255.255.254.0   U     0      0        0 tun0
<obscured_public_static_ip>  10.0.0.1        255.255.255.255 UGH   0      0        0 eth0
128.0.0.0       10.117.226.1    128.0.0.0       UG    0      0        0 tun0

tun1: OpenVPN server interface
eth0: LAN interface
tun0: OpenVPN client interface

remote client 10.8.0.4 route table

Code: Select all

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.0.0        10.8.0.1        255.255.255.0   UG    50     0        0 tun0
10.8.0.0        0.0.0.0         255.255.255.0   U     50     0        0 tun0

given client 10.8.0.4 executing the command:

Code: Select all

nping --tcp -p 64000 10.0.0.2

I get:
wireshark on OpenVPN server

Code: Select all

Source			Destination
10.8.0.4		10.0.0.2	TCP	56	4149 → 64000 [SYN] Seq=0 Win=1480 Len=0
10.117.226.35	10.0.0.2	TCP	56	4149 → 64000 [SYN] Seq=0 Win=1480 Len=0

wireshark on 10.0.0.2

Code: Select all

Source			Destination
10.117.226.35	10.0.0.2	TCP	60	4149 → 64000 [SYN] Seq=0 Win=1480 Len=0

So, a request for a LAN host (10.0.0.0/24) actually gets to the host, but with a wrong source (10.117.226.35), to which the host doesn't know how to route a response
The request should get to the host with a source:10.8.0.0/24 or source:10.0.0.0/24, but I don't really know where to put my hands to get this result.
I can't get access to the LAN hosts with the current setup, I really could use a help, thank you

[TinCanTech]

A host in the LAN acts as the OpenVPN server listening on a port forwarded from the public static IP of the commercial VPN

How have you done that ?

[caedium]

A host in the LAN acts as the OpenVPN server listening on a port forwarded from the public static IP of the commercial VPN

How have you done that ?

On this host:10.0.0.56 I have a OpenVPN client that establishes the connection with the commercial VPN

Code: Select all

dev tun
proto udp
remote <obscured_public_static_ip> 443

Now if a remote host calls <obscured_public_static_ip>:<forwarded_port> the call is forwarded to the 10.117.226.X address of the host:10.0.0.56, on the tun0 interface created by the OpenVPN client.

I then configured a OpenVPN server listening on the local address 10.117.226.X:<forwarded_port>

Code: Select all

;local 10.117.226.39 ;;; the local IP is commented because it's dynamic, but this is the subnet that receives the connection
port 18914 ;;; <forwarded_port>
proto udp
dev tun

the host:10.0.0.56 has in the end these interfaces:

Code: Select all

eth0: inet 10.0.0.56  netmask 255.255.255.0  broadcast 10.0.0.255
tun0: inet 10.117.226.28  netmask 255.255.254.0  destination 10.117.226.28
tun1: inet 10.8.0.1  netmask 255.255.255.0  destination 10.8.0.1

[TinCanTech]

What I mean is; Did you configure the Commercial VPN yourself ?

[caedium]

No, I just used a client.conf automatically built by them pointing to the static ip. The server is in the cloud handled by them, I only have its IP and a conf to connect to it

[TinCanTech]

I need to connect to a LAN behind a NAT over which I have no control, so I came up with this solution: exposing a OpenVPN private server through a commercial VPN static IP.

All you need is for the client behind the NAT to connect to your server, the rest of your plan makes no sense ..

[caedium]

I need to connect to a LAN behind a NAT over which I have no control, so I came up with this solution: exposing a OpenVPN private server through a commercial VPN static IP.

All you need is for the client behind the NAT to connect to your server, the rest of your plan makes no sense ..

The client may or may not be behind a NAT, it's irrelevant, what matters is that the server is behind a NAT, and I can't remove it or port forward any port to the server. That's why I need to connect to the external server with static IP, I'm using the port forward of the commercial VPN as a door for my VPN server, without it I have no way to get to the server in LAN.

I'm very open to any better solution that may be thought, this is just the idea I got to circumvent my NAT problem

[TinCanTech]

Re-locate your server .. most people just rent a VPS.

[300000]

It can do that quite simple but doing this way is not good if someone is working in a company and can setting up a link going to outside and download data from company to home .If this server in your home and you can control it so nothing wrong. But it control by someone else it should ask that person first to let a communication go thought .

you can connect it to server inside LAN that cant NAT from router but why you cant control router at all? is this server inside somewhere or at your home?

[caedium]

The server is my home LAN, but I have an imposed NAT from my ISP, which won't grant me any port forward or direct public ip

[300000]

It is quite simple if you can do this way so you can connect it from anywhere outside to your server and every devices inside your LAN

Rent and host from internet . they got static IP so every client can connect to it. install openvpn on that host and act as openvpn server and install site to site from your home to host server so when you go out side you can have more than one client connect to rented host and then can connect every client in your LAN.

I am running it right now so whenever I need to check camera at home I can connect to it and all other thing I want with easy

[TinCanTech]

In summary:

How you are doing it:

• Have a VPN provider forward a port over another VPN to your home server.
  Pros: None.
  Cons: VPN inside a VPN will cause you no end of bother due to double encapsulation.

How most people do it:

• Rent a VPS with a public IP and have your Home LAN connected as a client.
  Pros: Successfully by-passes NAT and exposes your home LAN to your VPS based VPN.
  Cons: I am not sure which solution costs more money but I know which one works best.

Up to you what you choose to do..

[caedium]

Got it, message received. I was trying and find a solution using the tools I'm already paying for but if that's unanimously crazy I'll stop wasting my time on it.

I'm right now using an SSH tunnel over that VPN port forward, instead of the additional VPN, but given that it's a less than ideal solution I'll sooner or later decide to spend some money and rent a VPS

Thank you anyway for your replies

[TinCanTech]

In summary:

How you are doing it:

• Have a VPN provider forward a port over another VPN to your home server.
  Pros: None.
  Cons: VPN inside a VPN will cause you no end of bother due to double encapsulation.

I was trying and find a solution using the tools I'm already paying for

Fair enough.

I'm right now using an SSH tunnel over that VPN port forward, instead of the additional VPN

Presuming I understand you correctly, forwarding a VPN over SSH is still a pain in the proverbial because you are still double encapsulating ..

I am surprised it works well enough for you to be able to use it, reliably ..

[caedium]

I am surprised it works well enough for you to be able to use it, reliably ..

Actually it's too early to know for sure, this NAT mess is pretty new, I've been facing it since a few days ago, when I changed the ISP, before I could port forward and I was relying on a simple L2TP VPN directly through the lan router... keeping my fingers crossed

[300000]

you dont need any port forward at all and can connect to it from out side whenever you like ..

running openvpn over ssh slow down a lot , It is double encapsulating only use when you are be hide China firewall when all other option not avaiable .

[TinCanTech]

you dont need any port forward at all and can connect to it from out side whenever you like

It is like, you are not even trying any more ..

[300000]

you dont need any port forward at all and can connect to it from out side whenever you like

It is like, you are not even trying any more ..

Let say I am running it right now connect it as simple as it should. It is quite simple indeed .

[300000]

you dont need any port forward at all and can connect to it from out side whenever you like

It is like, you are not even trying any more ..

Let say I have a set up a connection and running it right now for some times . Connectting it as simple as it should. It is quite simple indeed .

[TinCanTech]

What ever you are doing has nothing todo with this thread .. as is painfully obvious.

Unless of course you a NAT Punching ...