OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

Need help/opinion with 1:1 NAT setup

https://forums.openvpn.net/viewtopic.php?t=34556

Page 1 of 1

Need help/opinion with 1:1 NAT setup

Posted: Wed Jul 20, 2022 7:10 am
by tke13
Hello,

I have got the following situation:
- There is a OpenVPN Server in AWS (private network: 172.24.0.0/24)
- There is a OpenVPN Client on a remote site-1 (private network 192.168.0.0/24)
- There is a OpenVPN Client on a remote site-2 (private network 192.168.0.0/24)
- There is an application within AWS (IP: 172.24.0.10)
- There is a server-1 on remote site-1 (IP: 192.168.0.10)
- There is a server-2 on remote site-2 (IP: 192.168.0.10)
- FW on remote site cant be accessed/configured
- Application needs to access server-1 on remote site-1
- Application needs to access server-2 on remote site-2

Now with just one remote site i could use plain routing to make this work. (reverse vpn)
However if i want to add a second remote site-2 with same ip range as remote site-1 (192.168.0.0) and application needed to access both sites this will lead to a routing conflict.
I have searched and read something about 1:1 NAT - so that for example i can nat 192.168.0.0 on remote site-2 to 10.10.0.0/24 so the application on AWS can reach server-2 on remote site-2 with IP 10.10.0.10 (instead of 192.168.0.10)

Is this correct?
Are there any information how to set this up?

kind regards,
tke

Re: Need help/opinion with 1:1 NAT setup

Posted: Fri Jul 22, 2022 2:31 pm
by openvpn_inc
Hi tke,

Opinion? Yuck! It is absolutely not correct.

How (and more importantly, WHY) do you expect to be able to route from one 192.168.0.0/24 to another, different 192.168.0.0/24?
tke13 wrote:
Wed Jul 20, 2022 7:10 am
 - FW on remote site cant be accessed/configured
Why not? This is garbage. Consider replacing it with something not braindead. But anyway, you CAN change the subnet on the other site. Do that.

Web searches often have the problem you found: someone who knows very little about a subject shares their thoughts on how to address an issue. 1:1 NAT is a very bad idea. IP routing is simple and it works, as long as routers on each side of the VPN tunnel know to go through the tunnel to get to the remote site. Likewise the VPN server needs to know where to route each network.

If you are still constrained to do things the wrong way, the best hope for you is the OpenVPN Cloud service. It actually offers the feature of being able to route from one overlapping network segment to another. It does this through DNS tricks for the VPN clients and behind-the-scenes routing magic.

regards, rob0

Re: Need help/opinion with 1:1 NAT setup

Posted: Sat Apr 29, 2023 6:08 pm
by Killer2600
1:1 NAT is a very bad idea
Why is it a very bad idea to implement a feature that OpenVPN itself has built-in (client-nat)?
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/