New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NAT Reflection on openVPN does not work #6662
Comments
While I don't understand your exact setup with the info you provided, I have tested NAT reflection with OpenVPN and "redirect gateway" enabled, since redirect gateway seems to result in your problem. Connection is between an OPNsense 23.1.11 and an android phone with OpenVPN Connect Client 3.3.4 Firewall - NAT and Policy Rules loaded, interfaces:
TCPdump results
Result: DNAT Reflection with OpenVPN Road Warrior Setup and Redirect Gateway works for me. |
Here's an additional test where I use SNAT to replace the OpenVPN IP Address 10.0.8.2/32 of the client with the firewall interface IP address of the DMZ net 10.0.0.254/32. This rule will circumvent restrictive source IP firewall rules on host firewalls, that would only allow the DMZ net 10.0.0.0/24 but not the OpenVPN Net 10.0.8.0/24. tcpdump opnsense
tcpdump plesk server
SNAT to create a Hairpin NAT Reflection also works in combination with OpenVPN. |
Sorry for the delayed reply. I was on vaccation and I feel pretty stupid... Forgot to add the OpenVPN Interface to the NAT rule :( |
Hi,
I´m currently struggling to get NAT-Reflection working for openVPN Roadwarrior access.
What do I need?
DMZ and LAN, same rules for LAN->DMZ as from WAN (does Work).
NAT Reflection allowed us, to get rid of the public zone in our internal DNS-Server (it resolves to the public address and NAT-Reflection does the rest) => Easy, no double DNS, no double Rules for WAN and LAN
OpenVPN without redirect Gateway works fine with this setup.
Management for the DMZ was possible through a seperate VPN using internal IPs only.
Now we need another VPN, that works from LAN and WAN, that is allowed to access Administrative Ports in the DMZ.
We had some Admin-Services available from WAN with a Source IP Filter in Place.
When we just build the same NAT-PortForward rules with Source Filter "IP_AdminVPN" it does not work.
We see the Packets [SYN] from openVPN client to WAN IP with tcp-dump on the ovpns Interface but they seem to vanish. They dont show up on any other Interface and they dont show up in the firewall logs. So they get silently discarded.
Connecting to the Firewall itself via WAN-IP is possible from the VPN when we Redirect Gateway or add the WAN Subnet to "IPv4 Local Network". Otherwise, we try to connect to the FW from some "unauthorized" IP. So the "Don´t RDR and allow traffic from IP" rule seems to work.
Running:
OPNsense 23.1.11-amd64
openvpn 2.6.5
Any Idea?
The text was updated successfully, but these errors were encountered: