To NAT or not to NAT
Posted: Tue Aug 14, 2012 4:10 am
We have a working OpenVPN server (not AS) that served our needs but decided to upgrade to AS because we wanted to easily manage user groups/roles and define what network segments certain users can see, etc, especially for contractors, etc.
In getting the server set up, in VPN Config, the _ONLY_ way I have any connectivity to my private subnets (connecting from internet, wanting access to intranet/private LANs directly available on VPN server host) is if I use NAT. The problem with NAT is that using services inside makes all traffic looks like it comes from the VPN server host, rendering it useless for auditing, accountability, troubleshooting who's who, etc. and as a provider for security-conscious clients, this is DOA situation.
When I use "routing/advanced" and put in, say, 10.10.0.0/24 and 10.10.1.0/24, the routes are pushed and made available to the clients (checking with `netstat -rn'), but there is no traffic going through. I have also tried adding these forcibly in the Advanced VPN routing textbox, and in the per-group options. However, even with no groups or users defined in AS (we have LDAP set up for auth), it never works--only NAT. In the routing case, I can ping the gateway address from the client, but am not routed elsewhere.
What kills me is that the free, old reliable OpenVPN server installed from packages does routed connectivity (VPN server given IP, config pushes route to client, proper flow of traffic) to internal segments flawlessly. If we can't get this simpest of setups going, I'm going to feel really stupid for having bought our licenses on the hopes we'd have _complex_ user/group-defined roles when it's not doing what the free one does out of the box.
Please help! Let me know you'd want to know/see config-wise and I'll post it. Thanks so much!
--E
In getting the server set up, in VPN Config, the _ONLY_ way I have any connectivity to my private subnets (connecting from internet, wanting access to intranet/private LANs directly available on VPN server host) is if I use NAT. The problem with NAT is that using services inside makes all traffic looks like it comes from the VPN server host, rendering it useless for auditing, accountability, troubleshooting who's who, etc. and as a provider for security-conscious clients, this is DOA situation.
When I use "routing/advanced" and put in, say, 10.10.0.0/24 and 10.10.1.0/24, the routes are pushed and made available to the clients (checking with `netstat -rn'), but there is no traffic going through. I have also tried adding these forcibly in the Advanced VPN routing textbox, and in the per-group options. However, even with no groups or users defined in AS (we have LDAP set up for auth), it never works--only NAT. In the routing case, I can ping the gateway address from the client, but am not routed elsewhere.
What kills me is that the free, old reliable OpenVPN server installed from packages does routed connectivity (VPN server given IP, config pushes route to client, proper flow of traffic) to internal segments flawlessly. If we can't get this simpest of setups going, I'm going to feel really stupid for having bought our licenses on the hopes we'd have _complex_ user/group-defined roles when it's not doing what the free one does out of the box.
Please help! Let me know you'd want to know/see config-wise and I'll post it. Thanks so much!
--E