NAT Reflection on openVPN does not work

[JochenKorge]

Hi,
I´m currently struggling to get NAT-Reflection working for openVPN Roadwarrior access.

What do I need?
DMZ and LAN, same rules for LAN->DMZ as from WAN (does Work).
NAT Reflection allowed us, to get rid of the public zone in our internal DNS-Server (it resolves to the public address and NAT-Reflection does the rest) => Easy, no double DNS, no double Rules for WAN and LAN

OpenVPN without redirect Gateway works fine with this setup.

Management for the DMZ was possible through a seperate VPN using internal IPs only.

Now we need another VPN, that works from LAN and WAN, that is allowed to access Administrative Ports in the DMZ.

We had some Admin-Services available from WAN with a Source IP Filter in Place.
When we just build the same NAT-PortForward rules with Source Filter "IP_AdminVPN" it does not work.

We see the Packets [SYN] from openVPN client to WAN IP with tcp-dump on the ovpns Interface but they seem to vanish. They dont show up on any other Interface and they dont show up in the firewall logs. So they get silently discarded.

Connecting to the Firewall itself via WAN-IP is possible from the VPN when we Redirect Gateway or add the WAN Subnet to "IPv4 Local Network". Otherwise, we try to connect to the FW from some "unauthorized" IP. So the "Don´t RDR and allow traffic from IP" rule seems to work.

Running:
OPNsense 23.1.11-amd64
openvpn 2.6.5

Any Idea?

[Monviech]

While I don't understand your exact setup with the info you provided, I have tested NAT reflection with OpenVPN and "redirect gateway" enabled, since redirect gateway seems to result in your problem.

Connection is between an OPNsense 23.1.11 and an android phone with OpenVPN Connect Client 3.3.4

Configuration OpenVPN Server:

Firewall Configuration

Firewall - NAT and Policy Rules loaded, interfaces:

root@opn01:~ # ifconfig
pppoe1: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1492
	description: hn0_WAN_DSL (wan)
	inet6 fe80::215:5dff:fe00:c948%pppoe1 prefixlen 64 scopeid 0xf
	inet6 fe80::215:5dff:fe00:c950%pppoe1 prefixlen 64 scopeid 0xf
	inet6 XXX prefixlen 64 autoconf
	inet 80.151.XXX.XX --> 62.156.244.16 netmask 0xffffffff
	nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

ovpns1: flags=8043<UP,BROADCAST,RUNNING,MULTICAST> metric 0 mtu 1500
	options=80000<LINKSTATE>
	inet6 fe80::215:5dff:fe00:c948%ovpns1 prefixlen 64 scopeid 0x11
	inet 10.0.8.1 netmask 0xffffff00 broadcast 10.0.8.255
	groups: tun openvpn
	nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
	Opened by PID 46713

hn7: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1492
	description: hn7_DMZ (opt1)
	options=180018<VLAN_MTU,VLAN_HWTAGGING,LINKSTATE,NETMAP>
	ether 00:15:5d:00:c9:53
	inet 10.0.0.254 netmask 0xffffff00 broadcast 10.0.0.255
	inet6 XXX prefixlen 64
	inet6 fe80::215:5dff:fe00:c953%hn7 prefixlen 64 scopeid 0xc
	media: Ethernet autoselect (10Gbase-T <full-duplex>)
	status: active
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Alias:
host_plesk__org = 10.0.0.203

root@opn01:~ # pfctl -s nat
nat log on pppoe1 inet from 10.0.8.0/24 to any -> (pppoe1:0) port 1024:65535
rdr log on openvpn inet proto tcp from any to (pppoe1) port = http -> <host_plesk__org> round-robin
rdr log on openvpn inet proto tcp from any to (pppoe1) port = https -> <host_plesk__org> round-robin
rdr log on openvpn inet proto tcp from any to (pppoe1) port = 8443 -> <host_plesk__org> round-robin
rdr log on openvpn inet proto tcp from any to (pppoe1) port = 8447 -> <host_plesk__org> round-robin
rdr log on openvpn inet proto udp from any to (pppoe1) port = http -> <host_plesk__org> round-robin
rdr log on openvpn inet proto udp from any to (pppoe1) port = https -> <host_plesk__org> round-robin
rdr log on openvpn inet proto udp from any to (pppoe1) port = 8443 -> <host_plesk__org> round-robin
rdr log on openvpn inet proto udp from any to (pppoe1) port = 8447 -> <host_plesk__org> round-robin
rdr log on pppoe1 inet proto tcp from any to (pppoe1) port = http -> <host_plesk__org> round-robin
rdr log on pppoe1 inet proto tcp from any to (pppoe1) port = https -> <host_plesk__org> round-robin
rdr log on pppoe1 inet proto tcp from any to (pppoe1) port = 8443 -> <host_plesk__org> round-robin
rdr log on pppoe1 inet proto tcp from any to (pppoe1) port = 8447 -> <host_plesk__org> round-robin
rdr log on pppoe1 inet proto udp from any to (pppoe1) port = http -> <host_plesk__org> round-robin
rdr log on pppoe1 inet proto udp from any to (pppoe1) port = https -> <host_plesk__org> round-robin
rdr log on pppoe1 inet proto udp from any to (pppoe1) port = 8443 -> <host_plesk__org> round-robin
rdr log on pppoe1 inet proto udp from any to (pppoe1) port = 8447 -> <host_plesk__org> round-robin

root@opn01:~ # pfctl -s rules
pass in log quick on openvpn inet proto tcp from any to <host_plesk__org> port = http flags S/SA keep state label 
pass in log quick on openvpn inet proto tcp from any to <host_plesk__org> port = https flags S/SA keep state label 
pass in log quick on openvpn inet proto tcp from any to <host_plesk__org> port = 8443 flags S/SA keep state label 
pass in log quick on openvpn inet proto tcp from any to <host_plesk__org> port = 8447 flags S/SA keep state label 
pass in log quick on openvpn inet proto udp from any to <host_plesk__org> port = http keep state label 
pass in log quick on openvpn inet proto udp from any to <host_plesk__org> port = https keep state label 
pass in log quick on openvpn inet proto udp from any to <host_plesk__org> port = 8443 keep state label 
pass in log quick on openvpn inet proto udp from any to <host_plesk__org> port = 8447 keep state label 
pass in log quick on pppoe1 reply-to (pppoe1 62.156.244.16) inet proto tcp from any to <host_plesk__org> port = http flags S/SA keep state label 
pass in log quick on pppoe1 reply-to (pppoe1 62.156.244.16) inet proto tcp from any to <host_plesk__org> port = https flags S/SA keep state label 
pass in log quick on pppoe1 reply-to (pppoe1 62.156.244.16) inet proto tcp from any to <host_plesk__org> port = 8443 flags S/SA keep state label 
pass in log quick on pppoe1 reply-to (pppoe1 62.156.244.16) inet proto tcp from any to <host_plesk__org> port = 8447 flags S/SA keep state label 
pass in log quick on pppoe1 reply-to (pppoe1 62.156.244.16) inet proto udp from any to <host_plesk__org> port = http keep state label 
pass in log quick on pppoe1 reply-to (pppoe1 62.156.244.16) inet proto udp from any to <host_plesk__org> port = https keep state label 
pass in log quick on pppoe1 reply-to (pppoe1 62.156.244.16) inet proto udp from any to <host_plesk__org> port = 8443 keep state label 
pass in log quick on pppoe1 reply-to (pppoe1 62.156.244.16) inet proto udp from any to <host_plesk__org> port = 8447 keep state label
pass in quick on openvpn inet all flags S/SA keep state label
pass in quick on pppoe1 reply-to (pppoe1 62.156.244.16) inet proto udp from any to (pppoe1) port = openvpn keep state label

TCPdump results

root@opn01:~ # tcpdump -i ovpns1 host 80.151.XXX.XX -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ovpns1, link-type NULL (BSD loopback), capture size 262144 bytes
09:56:22.468134 IP 10.0.8.2.40142 > 80.151.XXX.XX.8443: Flags [.], seq 1286736174:1286737554, ack 2633961161, win 305, options [nop,nop,TS val 3178592079 ecr 3824478650], length 1380
09:56:22.468319 IP 10.0.8.2.40142 > 80.151.XXX.XX.8443: Flags [P.], seq 1380:1698, ack 1, win 305, options [nop,nop,TS val 3178592079 ecr 3824478650], length 318
09:56:22.468618 IP 80.151.XXX.XX.8443 > 10.0.8.2.40142: Flags [.], ack 1698, win 499, options [nop,nop,TS val 3824512307 ecr 3178592079], length 0
09:56:22.555214 IP 80.151.XXX.XX.8443 > 10.0.8.2.40142: Flags [.], seq 1:1381, ack 1698, win 501, options [nop,nop,TS val 3824512394 ecr 3178592079], length 1380
09:56:22.555302 IP 80.151.XXX.XX.8443 > 10.0.8.2.40142: Flags [P.], seq 1381:2761, ack 1698, win 501, options [nop,nop,TS val 3824512394 ecr 3178592079], length 1380
09:56:22.555318 IP 80.151.XXX.XX.8443 > 10.0.8.2.40142: Flags [.], seq 2761:4141, ack 1698, win 501, options [nop,nop,TS val 3824512394 ecr 3178592079], length 1380
09:56:22.555332 IP 80.151.XXX.XX.8443 > 10.0.8.2.40142: Flags [P.], seq 4141:5521, ack 1698, win 501, options [nop,nop,TS val 3824512394 ecr 3178592079], length 1380
09:56:22.555352 IP 80.151.XXX.XX.8443 > 10.0.8.2.40142: Flags [.], seq 5521:6901, ack 1698, win 501, options [nop,nop,TS val 3824512394 ecr 3178592079], length 1380
09:56:22.555365 IP 80.151.XXX.XX.8443 > 10.0.8.2.40142: Flags [P.], seq 6901:8281, ack 1698, win 501, options [nop,nop,TS val 3824512394 ecr 3178592079], length 1380
09:56:22.555379 IP 80.151.XXX.XX.8443 > 10.0.8.2.40142: Flags [.], seq 8281:9661, ack 1698, win 501, options [nop,nop,TS val 3824512394 ecr 3178592079], length 1380
09:56:22.555393 IP 80.151.XXX.XX.8443 > 10.0.8.2.40142: Flags [P.], seq 9661:10670, ack 1698, win 501, options [nop,nop,TS val 3824512394 ecr 3178592079], length 1009

root@opn01:~ # tcpdump -i hn7 host 10.0.8.2 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on hn7, link-type EN10MB (Ethernet), capture size 262144 bytes
09:56:22.468170 IP 10.0.8.2.40142 > 10.0.0.203.8443: Flags [.], seq 1286736174:1286737554, ack 2633961161, win 305, options [nop,nop,TS val 3178592079 ecr 3824478650], length 1380
09:56:22.468289 IP 10.0.8.2.40142 > 10.0.0.203.8443: Flags [.], seq 0:1380, ack 1, win 305, options [nop,nop,TS val 3178592079 ecr 3824478650], length 1380
09:56:22.468331 IP 10.0.8.2.40142 > 10.0.0.203.8443: Flags [P.], seq 1380:1698, ack 1, win 305, options [nop,nop,TS val 3178592079 ecr 3824478650], length 318
09:56:22.468366 IP 10.0.8.2.40142 > 10.0.0.203.8443: Flags [P.], seq 1380:1698, ack 1, win 305, options [nop,nop,TS val 3178592079 ecr 3824478650], length 318
09:56:22.468594 IP 10.0.0.203.8443 > 10.0.8.2.40142: Flags [.], ack 1698, win 499, options [nop,nop,TS val 3824512307 ecr 3178592079], length 0
09:56:22.555179 IP 10.0.0.203.8443 > 10.0.8.2.40142: Flags [.], seq 1:1381, ack 1698, win 501, options [nop,nop,TS val 3824512394 ecr 3178592079], length 1380
09:56:22.555295 IP 10.0.0.203.8443 > 10.0.8.2.40142: Flags [P.], seq 1381:2761, ack 1698, win 501, options [nop,nop,TS val 3824512394 ecr 3178592079], length 1380
09:56:22.555314 IP 10.0.0.203.8443 > 10.0.8.2.40142: Flags [.], seq 2761:4141, ack 1698, win 501, options [nop,nop,TS val 3824512394 ecr 3178592079], length 1380
09:56:22.555328 IP 10.0.0.203.8443 > 10.0.8.2.40142: Flags [P.], seq 4141:5521, ack 1698, win 501, options [nop,nop,TS val 3824512394 ecr 3178592079], length 1380
09:56:22.555348 IP 10.0.0.203.8443 > 10.0.8.2.40142: Flags [.], seq 5521:6901, ack 1698, win 501, options [nop,nop,TS val 3824512394 ecr 3178592079], length 1380
09:56:22.555362 IP 10.0.0.203.8443 > 10.0.8.2.40142: Flags [P.], seq 6901:8281, ack 1698, win 501, options [nop,nop,TS val 3824512394 ecr 3178592079], length 1380
09:56:22.555375 IP 10.0.0.203.8443 > 10.0.8.2.40142: Flags [.], seq 8281:9661, ack 1698, win 501, options [nop,nop,TS val 3824512394 ecr 3178592079], length 1380
09:56:22.555389 IP 10.0.0.203.8443 > 10.0.8.2.40142: Flags [P.], seq 9661:10670, ack 1698, win 501, options [nop,nop,TS val 3824512394 ecr 3178592079], length 1009

Result:

DNAT Reflection with OpenVPN Road Warrior Setup and Redirect Gateway works for me.

[Monviech]

Here's an additional test where I use SNAT to replace the OpenVPN IP Address 10.0.8.2/32 of the client with the firewall interface IP address of the DMZ net 10.0.0.254/32. This rule will circumvent restrictive source IP firewall rules on host firewalls, that would only allow the DMZ net 10.0.0.0/24 but not the OpenVPN Net 10.0.8.0/24.

tcpdump opnsense

root@opn01:~ # tcpdump -i ovpns1 host 80.151.XXX.XX -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ovpns1, link-type NULL (BSD loopback), capture size 262144 bytes
11:38:59.093869 IP 10.0.8.2.41398 > 80.151.XXX.XX.8443: Flags [.], seq 3290472573:3290473953, ack 4119601043, win 242, options [nop,nop,TS val 3182444327 ecr 2120310626], length 1380
11:38:59.093934 IP 10.0.8.2.41398 > 80.151.XXX.XX.8443: Flags [P.], seq 1380:1698, ack 1, win 242, options [nop,nop,TS val 3182444327 ecr 2120310626], length 318
11:38:59.094417 IP 80.151.XXX.XX.8443 > 10.0.8.2.41398: Flags [.], ack 1698, win 501, options [nop,nop,TS val 2120319800 ecr 3182444327], length 0
11:38:59.183235 IP 80.151.XXX.XX.8443 > 10.0.8.2.41398: Flags [.], seq 1:1381, ack 1698, win 501, options [nop,nop,TS val 2120319889 ecr 3182444327], length 1380
11:38:59.183272 IP 80.151.XXX.XX.8443 > 10.0.8.2.41398: Flags [P.], seq 1381:2761, ack 1698, win 501, options [nop,nop,TS val 2120319889 ecr 3182444327], length 1380
11:38:59.183287 IP 80.151.XXX.XX.8443 > 10.0.8.2.41398: Flags [.], seq 2761:4141, ack 1698, win 501, options [nop,nop,TS val 2120319889 ecr 3182444327], length 1380
11:38:59.183300 IP 80.151.XXX.XX.8443 > 10.0.8.2.41398: Flags [P.], seq 4141:5521, ack 1698, win 501, options [nop,nop,TS val 2120319889 ecr 3182444327], length 1380
11:38:59.183313 IP 80.151.XXX.XX.8443 > 10.0.8.2.41398: Flags [.], seq 5521:6901, ack 1698, win 501, options [nop,nop,TS val 2120319889 ecr 3182444327], length 1380
11:38:59.183325 IP 80.151.XXX.XX.8443 > 10.0.8.2.41398: Flags [P.], seq 6901:8281, ack 1698, win 501, options [nop,nop,TS val 2120319889 ecr 3182444327], length 1380
11:38:59.183415 IP 80.151.XXX.XX.8443 > 10.0.8.2.41398: Flags [.], seq 8281:9661, ack 1698, win 501, options [nop,nop,TS val 2120319889 ecr 3182444327], length 1380
11:38:59.183440 IP 80.151.XXX.XX.8443 > 10.0.8.2.41398: Flags [P.], seq 9661:10671, ack 1698, win 501, options [nop,nop,TS val 2120319889 ecr 3182444327], length 1010
11:38:59.226880 IP 10.0.8.2.41398 > 80.151.XXX.XX.8443: Flags [.], ack 1381, win 248, options [nop,nop,TS val 3182444467 ecr 2120319889], length 0
11:38:59.226930 IP 10.0.8.2.41398 > 80.151.XXX.XX.8443: Flags [.], ack 2761, win 253, options [nop,nop,TS val 3182444474 ecr 2120319889], length 0
11:38:59.233430 IP 10.0.8.2.41398 > 80.151.XXX.XX.8443: Flags [.], ack 4141, win 259, options [nop,nop,TS val 3182444475 ecr 2120319889], length 0
11:38:59.233496 IP 10.0.8.2.41398 > 80.151.XXX.XX.8443: Flags [.], ack 5521, win 265, options [nop,nop,TS val 3182444475 ecr 2120319889], length 0
11:38:59.233517 IP 10.0.8.2.41398 > 80.151.XXX.XX.8443: Flags [.], ack 6901, win 270, options [nop,nop,TS val 3182444475 ecr 2120319889], length 0
11:38:59.233535 IP 10.0.8.2.41398 > 80.151.XXX.XX.8443: Flags [.], ack 8281, win 276, options [nop,nop,TS val 3182444475 ecr 2120319889], length 0
11:38:59.233553 IP 10.0.8.2.41398 > 80.151.XXX.XX.8443: Flags [.], ack 9661, win 282, options [nop,nop,TS val 3182444475 ecr 2120319889], length 0
11:38:59.233574 IP 10.0.8.2.41398 > 80.151.XXX.XX.8443: Flags [.], ack 10671, win 287, options [nop,nop,TS val 3182444475 ecr 2120319889], length 0

tcpdump plesk server

root@plesk:/home/administrator# tcpdump -i any host 10.0.0.254 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
11:38:59.088414 IP 10.0.0.254.59254 > 10.0.0.203.8443: Flags [P.], seq 3290472573:3290474271, ack 4119601043, win 242, options [nop,nop,TS val 3182444327 ecr 2120310626], length 1698
11:38:59.088523 IP 10.0.0.203.8443 > 10.0.0.254.59254: Flags [.], ack 1698, win 501, options [nop,nop,TS val 2120319800 ecr 3182444327], length 0
11:38:59.177246 IP 10.0.0.203.8443 > 10.0.0.254.59254: Flags [P.], seq 1:2761, ack 1698, win 501, options [nop,nop,TS val 2120319889 ecr 3182444327], length 2760
11:38:59.177275 IP 10.0.0.203.8443 > 10.0.0.254.59254: Flags [P.], seq 2761:5521, ack 1698, win 501, options [nop,nop,TS val 2120319889 ecr 3182444327], length 2760
11:38:59.177394 IP 10.0.0.203.8443 > 10.0.0.254.59254: Flags [P.], seq 5521:8281, ack 1698, win 501, options [nop,nop,TS val 2120319889 ecr 3182444327], length 2760
11:38:59.177416 IP 10.0.0.203.8443 > 10.0.0.254.59254: Flags [P.], seq 8281:10671, ack 1698, win 501, options [nop,nop,TS val 2120319889 ecr 3182444327], length 2390
11:38:59.221357 IP 10.0.0.254.59254 > 10.0.0.203.8443: Flags [.], ack 1381, win 248, options [nop,nop,TS val 3182444467 ecr 2120319889], length 0
11:38:59.221357 IP 10.0.0.254.59254 > 10.0.0.203.8443: Flags [.], ack 2761, win 253, options [nop,nop,TS val 3182444474 ecr 2120319889], length 0
11:38:59.228000 IP 10.0.0.254.59254 > 10.0.0.203.8443: Flags [.], ack 4141, win 259, options [nop,nop,TS val 3182444475 ecr 2120319889], length 0
11:38:59.228000 IP 10.0.0.254.59254 > 10.0.0.203.8443: Flags [.], ack 5521, win 265, options [nop,nop,TS val 3182444475 ecr 2120319889], length 0
11:38:59.228000 IP 10.0.0.254.59254 > 10.0.0.203.8443: Flags [.], ack 6901, win 270, options [nop,nop,TS val 3182444475 ecr 2120319889], length 0
11:38:59.228000 IP 10.0.0.254.59254 > 10.0.0.203.8443: Flags [.], ack 8281, win 276, options [nop,nop,TS val 3182444475 ecr 2120319889], length 0
11:38:59.228000 IP 10.0.0.254.59254 > 10.0.0.203.8443: Flags [.], ack 9661, win 282, options [nop,nop,TS val 3182444475 ecr 2120319889], length 0
11:38:59.228000 IP 10.0.0.254.59254 > 10.0.0.203.8443: Flags [.], ack 10671, win 287, options [nop,nop,TS val 3182444475 ecr 2120319889], length 0

SNAT to create a Hairpin NAT Reflection also works in combination with OpenVPN.

[NunoHiggs]

Sorry about butting in the chat, but i solved my issue by having this configured like this:

[JochenKorge]

Sorry for the delayed reply. I was on vaccation and I feel pretty stupid... Forgot to add the OpenVPN Interface to the NAT rule :(
It works now. Thanks for the hint