OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

OpenVPN server behind NAT - private source IP in status/log

https://forums.openvpn.net/viewtopic.php?t=35808

Page 1 of 1

OpenVPN server behind NAT - private source IP in status/log

Posted: Mon Jun 05, 2023 2:18 pm
by tuxmartin
Hello, I have an OpenVPN server in LAN behind NAT.
There is my setup:

Server (public IP) --DNAT--> ovpn server (lan, private ip)
1.2.3.4 (10.0.0.1) --DNAT--> (10.0.0.2)

My clients connect to the server public IP, which DNAT port UDP 1194 to LAN to ovpn virtual with private IP. If I look at the openvpn status/log, all clients have the private IP of my server (10.0.0.1) as source IP. So logs are useless.
How can I fix it? For example HTTP has X-Real-IP/X-Forwarded-For headers which can solve it. But I need to learn how to fix it on OpenVPN.

Re: OpenVPN server behind NAT - private source IP in status/log

Posted: Mon Jun 05, 2023 9:46 pm
by volleynbike
It sounds like there is more than just DNAT happening. If it were only DNAT, the src ip would still be the client's internet ip. Maybe there is some other NAT command that is also picking up these packets? We do something similar, and our logs show the clients src address.

Re: OpenVPN server behind NAT - private source IP in status/log

Posted: Tue Jun 06, 2023 12:19 am
by tuxmartin
It's my firewall on server with public IP:

Code: Select all

iptables -t nat -A PREROUTING -i vmbr0  -p udp --dport 1194 -j DNAT --to-destination 10.0.0.2:1194
iptables -A FORWARD -i vmbr0  -p udp --dport 1194 -d 10.0.0.2 -j ACCEPT
and config of my OpenVPN server in virtual server 10.0.0.2:

Server Config
# This is a comment
port 1194
proto udp
dev-type tun
dev ovpn_xxx
mode server
tls-server
ifconfig 10.99.88.1 255.255.255.0
ifconfig-pool 10.99.88.100 10.99.88.200 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
topology subnet
push "topology subnet"
explicit-exit-notify 1
ca /etc/openvpn/ssl/ca.crt
cert /etc/openvpn/ssl/server.crt
key /etc/openvpn/ssl/server.key
dh /etc/openvpn/ssl/dh.pem
crl-verify /etc/openvpn/ssl/crl.pem
tls-server
tls-version-min 1.2
cipher AES-256-CBC
auth SHA512
client-config-dir /etc/openvpn/ccd

client-to-client
keepalive 10 60
persist-key
persist-tun
status /var/run/openvpn-xxx.status 5
log-append /var/log/openvpn/xxx.com.log
verb 3
duplicate-cn

script-security 2
client-connect /etc/openvpn/connect.sh

push "route-gateway 10.99.88.1"
route-gateway 10.99.88.1
push "route-metric 555"
route-metric 555
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/