Why is openvpn traffic NATed?

deadlock · August 11, 2019, 12:51pm

I have been running OpenVPN with OpenWRT for a while in order to bridge my home with the office

At home I have a network of 10.0.83.0/24 and at office I have a network of 10.0.10.0/24

Here is the conig at office

proto tcp-server
dev-type tun
dev home_deadlock
ifconfig 10.8.0.1 10.8.0.2
route 10.0.83.0 255.255.255.0
secret home_deadlock.key

And here is the config at home

remote office.address.com
proto tcp-client
dev-type tun
dev home_deadlock
ifconfig 10.8.0.2 10.8.0.1
route 10.0.10.0 255.255.255.0
secret home_deadlock.key

In general this works great. I can reach all office computers from home, and I can reach all home computers from office. But there is a problem that it seem like the traffic is NATed or MASQUARADEd so all traffic seem to come from either 10.8.0.2 or 10.8.0.1 which is the tunnel addresses.

I cant understand why there is NAT here. According to my understanding this is not somethign that OpenVPN is responsible for.

When running iptables -t nat -L -n -v on my home router I get among other things
Chain zone_home_deadlock_postrouting (1 references)
pkts bytes target prot opt in out source destination
19 1216 postrouting_home_deadlock_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: user chain for postrouting /
19 1216 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 / !fw3 */

How can I remove NAT, and why is the traffic NATed? I did not check NAT in Luci web interface except on WAN.

anon50098793 · August 11, 2019, 1:23pm

Justify....

deadlock · August 11, 2019, 1:49pm

If i run tcpdump on either side i can see that the source ip is 10.8.0.1 and 10.8.0.2 respective.

vgaetera · August 11, 2019, 2:38pm

uci show firewall; grep -v -e "^#" -e "^$" /etc/firewall.user

deadlock · August 11, 2019, 3:21pm

@vgaetera here is the output

root@OlssonGW:/etc/openvpn# uci show firewall; grep -v -e "^#" -e "^$" /etc/firewall.user
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].input='REJECT'
firewall.@defaults[0].output='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].forward='REJECT'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fe80::/10'
firewall.@rule[3].src_port='547'
firewall.@rule[3].dest_ip='fe80::/10'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[0].src='lan'
firewall.@zone[2]=zone
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].name='home_deadlock'
firewall.@zone[2].network='home_deadlock'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='lan'
firewall.@forwarding[1].src='home_deadlock'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].dest='home_deadlock'
firewall.@forwarding[2].src='lan'

vgaetera · August 11, 2019, 4:02pm

iptables-save | grep -e MASQUERADE
grep -r -e home_deadlock -e MASQUERADE /etc

deadlock · August 11, 2019, 4:52pm

root@OlssonGW:/etc/openvpn# iptables-save | grep -e MASQUERADE
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE

root@OlssonGW:/etc/openvpn# grep -r -e home_deadlock -e MASQUERADE /etc
/etc/config/firewall:	option name 'home_deadlock'
/etc/config/firewall:	option network 'home_deadlock'
/etc/config/firewall:	option src 'home_deadlock'
/etc/config/firewall:	option dest 'home_deadlock'
/etc/config/firewall:	option dest 'home_deadlock'
/etc/config/firewall:	option dest 'home_deadlock'
/etc/config/firewall:	option dest 'home_deadlock'
/etc/config/network:config interface 'home_deadlock'
/etc/config/network:	option ifname 'home_deadlock'
/etc/config/network:	option interface 'home_deadlock'
/etc/config/network:	option interface 'home_deadlock'
/etc/config/network:	option interface 'home_deadlock'
/etc/config/openvpn:config openvpn 'home_deadlock'
/etc/config/openvpn:	option config '/etc/openvpn/home_deadlock.conf'
grep: /etc/localtime: No such file or directory
/etc/modules.d/ipt-nat:ipt_MASQUERADE
grep: /etc/ppp/resolv.conf: No such file or directory
/etc/openvpn/home_deadlock.conf:dev home_deadlock
/etc/openvpn/home_deadlock.conf:secret home_deadlock.key
/etc/openvpn/home_deadlock.bup:dev home_deadlock
/etc/openvpn/home_deadlock.bup:secret home_deadlock.key

vgaetera · August 11, 2019, 5:59pm

There's no other visible masquerading unless you use something like nftables.

deadlock · August 11, 2019, 6:12pm

I agree, so why is it like this?

I have not made any special configuration it should be standard, just installed openvpn and have been trying to make it connect the two sites, but something is making the traffic NATed between. I dont know if OpenVPN is doing this or if it is OpenWRT.

psyborg · August 11, 2019, 6:30pm

doesn't openvpn default to routing? iirc there is a possibility to make it bridged

vgaetera · August 11, 2019, 7:31pm

Your OpenVPN site-to-site setup doesn't use the iroute option which is typically present and required in such cases and I'm not sure where to put it with no client-config-dir and certificates.
The tested and working configuration is here: server + client + site-to-site.

deadlock · August 11, 2019, 10:00pm

Thanks you for the reply @vgaetera

So you are saying that unless I create certificates and create a client-config dir it is not possible to get this to work? Is there a reference to documentation somewhere that describes that OpenVPN will do NAT unless I use iroute? It would be very interesting to read more about this.

Kind regards
Jens

vgaetera · August 12, 2019, 2:43am

It is based on the official documentation.
By the way, are you sure there's no NAT on the other side?