OpenVPN Client trying to connect to a NATed Server IP
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
OpenVPN Client trying to connect to a NATed Server IP
Hi,
I have this unnusual setup: I have an OpenVPN server working pretty well.
All clients that I ever configured can connect instantly using the Public IP of the server in their "remote" line of the config files.
But the weird client is inside a big corporation which NATs any outside public IP to some of its internal IPs. And so, the "remote" line has to receive this internal IP and I think OpenVPN may be misleading by, perhaps, the headers of the arriving packets.
Am I clear?
The openvpn server has IP 2xx.xxx.xxx.xx and the client, instead of put this, is being forced to use
Code:
remote 172.xx.xxx.x
Need I something else than remote and port directives in client side, maybe something more on the server side...? The openvpn --help output didn't tell me much about NAT.
Sounds like you are misunderstanding the network setup at that corporation. They are most likely using private address space and using NAT with port overload to connect out.
You should still use your normal IP to connect to your VPN server. I have used OpenVPN from behind NAT and I have had no problems. If the company is blocking ports however you can have a problem - you will need to establish what ports are permitted for outbound connections and work with those.
Even if they are permitting UDP/53 only, you can still set up a NAT rule at your server and translate traffic from that company to UDP/53 on your server to UDP/yourvpnport. Of course, that will only be fine if you are not running a DNS server on the VPN box.
Sounds like you are misunderstanding the network setup at that corporation. They are most likely using private address space and using NAT with port overload to connect out.
You should still use your normal IP to connect to your VPN server.
Hi.
They are certanly using private range for their machines. But their network admins doesn't allow me to specify the real public destination IP (of my server). They are enforcing the NAT from the very beginnng of the connection. The ports are surely allowed, as I see the connections arriving on my server. But it seems openvpn is misundertanding the packets, maybe because it expects to see it's own IP, but is seeing instead the NATed IP from my client's LAN.
> their network admins doesn't allow me to specify the real public destination IP (of my server).
>I see the connections arriving on my server. But it seems openvpn is misundertanding the packets,
>maybe because it expects to see it's own IP, but is seeing instead the NATed IP from my client's LAN.
These statements are a bit contradictory. How are the packets arriving at your machine if the client can't specify your IP address? Where is the translation from 172.xxxxx to 2xx.xxxxx happening?
Where is the translation from 172.xxxxx to 2xx.xxxxx happening?
Inside their "blackbox" firewall/routers. I really can't figure out why, too.
I'm just trying to discover whether OpenVPN can work with that, because another VPN program which runs on the same machine and suffer the same kind of NAT (although from a different LAN IP to a different public IP) is working. And a telnet session that needs to use a third NAT to a third public IP is working too.
I must be misunderstanding something. You say that your client's config specifies your VPN server at 172.xxxxxxx. How are the packets arriving at your server which is at 2xx.xxxxxxx? There is no magic or mindreading in a router. How does the company's router know to translate any outgoing connection to 172.xxxxxx to a connection to 2xx.xxxxxxxx?
I must be misunderstanding something. You say that your client's config specifies your VPN server at 172.xxxxxxx. How are the packets arriving at your server which is at 2xx.xxxxxxx? There is no magic or mindreading in a router. How does the company's router know to translate any outgoing connection to 172.xxxxxx to a connection to 2xx.xxxxxxxx?
You get it right! That "magic" is the thing I want to understand too. I don't know why nor how, but the company netadmins are doing it and it works for another two different connections. There's some NAT running at their routers.
Probably I'll need to give up and say to them that OpenVPN doesn't work this way.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.