Hi, I'm trying this setup on image. When the laptop access the Internet, I see on server that the 192.168.182.0/24 is NATted on tunnel (10.0.0.0/29). How can I avoid this NAT. I would like to see the network 192.168.182.0/24 on server.
I'm using a OpenVPN connection to the server.
Do you control the both the server and client? The server would need to have a route to the 192.168.182.0/24 network in order for this to work.
Also, if you control both, you may want to consider WireGuard which is both easier to configure and more performant.
1 Like
If the OpenVPN server knows the return route for 192.168.182.0/24 via the VPN you can disable NAT on the Client side
For OpenVPN this is somewhat more work then just adding a static route the OpenVPN server needs specific instructions which client it has to use.
This is from my notes, (it is some time ago I used it, nowadays I use WireGuard for this which is easier to setup and much faster):
Site-to-site
In a setup where a single server can handle many clients, it is sometimes necessary to set per-client options that overrule the global options, or to add extra options to a particular client. The option client-config-dir is very useful for this. It allows the VPN administrator to assign a specific IP address to a client, in order to push specific options such as a DNS server to a particular client or to temporarily disable a client altogether.
This option is also vital if you want to route a subnet from the server side to the client side.Add to the OpenVPN servers config file:
#set option for CCD dir in openvpn config:
client-config-dir /etc/openvpn/ccdThis example has the LAN subnet of the server to be 192.168.6.0/24, the LAN subnet of the client is 172.18.18.0/24
Push server side LAN subnet to clients by adding redirect default gateway or
push "route 192.168.6.0 255.255.255.0 vpn_gateway"Instruct server to add a route to the client-side LAN for all local server side clients:
route 172.18.18.0 255.255.255.0 vpn_gatewayFrom Command line:
#Make ccd directory
mkdir /etc/openvpn/ccd#Make DEFAULT file which is used if no named file is used so suitable for just one VPN client
touch /etc/openvpn/ccd/DEFAULT#Add iroute to DEFAULT ccd file
echo "iroute 172.18.118.0 255.255.255.0" > /etc/openvpn/ccd/DEFAULTFirewall
The firewall on the Client side must be setup as if it is a OpenVPN Server, so with ACCEPT on INPUT and FORWARD and no Masquerading.
2 Likes
DEFAULT client only works if there is only one client. If the server serves multiple clients, certificate authentication must be used with a unique certificate for each client. The CN of the certificate matches the file name for that client in the ccd.
Thanks for emphasising that, it is also in my notes but perhaps not very clear
Yes, the server has a route to the LAN on client, which is a openwrt router. The server is a vyos based OS. And it has limited support to openvpn.
But I think that the configuration that I need must be only on client side.
A few things need to be in place... but like @egc , I don't entirely remember the process for OpenVPN.
- The client must have a deterministic IP address for the OpenVPN tunnel. This is likely a server-side configuration.
- The server side router must have a static route defined for the client's lan (i.e.
192.168.182.0/24 via 10.0.0.2). - Server side firewall must allow the necessary routing
- Client side routing table must use 10.0.0.1 as its gateway for whatever traffic should flow over the tunnel
- client side firewall must have the tunnel in a firewall zone that has masquerading disabled.
- client side firewall must allow the desired routing.