[Firewall] Unwanted NAT on OpenVPN connection

Sebastian Suchanek sebastian.suchanek at gmx.de
Fri Oct 14 21:00:57 CEST 2016


Am 13.10.2016 um 21:31 schrieb Lonnie Abelbeck:
> On Oct 13, 2016, at 1:09 PM, Sebastian Suchanek <sebastian.suchanek at gmx.de> wrote:
>> Am 12.10.2016 um 22:26 schrieb Lonnie Abelbeck:

Hi Lonnie!

>>>> INT_IF="eth0 tun0"
>>>> INTERNAL_NET="10.1.0.0/16 10.2.0.0/16 10.255.1.0/24"
>>> 
>>> I'm a little puzzled why you have three subnets off two interfaces, how is 10.2.0.0/16 attached to the interfaces ?
>> 
>> - 10.1.0.0/16 is the LAN physically connected to the server.
>> 
>> - 10.255.1.0/24 is the internal transfer net of the OpenVPN system.
>>  (In case you're not familiar with OpenVPN: it uses an internal
>>  transfer net with its own IP range to route traffic from one VPN peer
>>  to another. Usually, this is transparent to the routed traffic.)
>> 
>> - 10.2.0.0/16 is a LAN a second location which is connected via an
>>  OpenVPN connection. So far, this is the only remote LAN, but more
>>  might follow in the future.
> 
> Ahhh, this is a remote subnet via OpenVPN. Then 10.2.0.0/16 should
> not be part of INTERNAL_NET on the server,

OK - also see below.

> instead define it using "ccd" files in OpenVPN so it is routed ...

That's done already. IMHO, without these settings in OpenVPN, the access
between the two LANs wouldn't work at all. (With or without NAT'ing.)

> [OpenVPN]
> BTW, I use "topology subnet".

In my OpenVPN configuration the "topology" parameter isn't set
explicitly, so OpenVPN should default to net30.

>> 
>> But inspired by your question, I've just changed my configuration to
>> 
>> | [...]
>> | INTERNAL_NET="10.1.0.0/16 10.2.0.0/16 10.255.1.0/24"
>> | [...]
> 
> That looks the same as you had before. ??

Stupid copy&paste mistake, sorry. I meant:

| [...]
| INTERNAL_NET="10.1.0.0/16"
| [...]


>> It seems that the NAT'ing of accesses from the remote 10.2.0.0/16 LAN to
>> the local 10.1.0.0/16 LAN is gone now, but so far I'm not yet sure for
>> the opposite direction. Hopefully I can test this in more depth during
>> the upcoming weekend...

In the meantime, I've done some more testing: at least when accessing
the respective "remote" OpenVPN machine from any LAN host, the
"original" LAN IP is used as the source IP. So far, I've not tested host
to host accross the VPN, because I don't have suitable "test target"
systems at hand.
But at least the current status quo (after changing the INTERNAL_NET
parameter) is better than before, so thank you for yor help so far. :-)


Best regards

Sebastian



More information about the Firewall mailing list