Hi,

I have this unnusual setup: I have an OpenVPN server working pretty well.
All clients that I ever configured can connect instantly using the Public IP of the server in their "remote" line of the config files.

But the weird client is inside a big corporation which NATs any outside public IP to some of its internal IPs. And so, the "remote" line has to receive this internal IP and I think OpenVPN may be misleading by, perhaps, the headers of the arriving packets.

Am I clear?
The openvpn server has IP 2xx.xxx.xxx.xx and the client, instead of put this, is being forced to use


Need I something else than remote and port directives in client side, maybe something more on the server side...? The openvpn --help output didn't tell me much about NAT.

Any clues?

Thanks in advance

Sounds like you are misunderstanding the network setup at that corporation. They are most likely using private address space and using NAT with port overload to connect out.
You should still use your normal IP to connect to your VPN server. I have used OpenVPN from behind NAT and I have had no problems. If the company is blocking ports however you can have a problem - you will need to establish what ports are permitted for outbound connections and work with those.

Even if they are permitting UDP/53 only, you can still set up a NAT rule at your server and translate traffic from that company to UDP/53 on your server to UDP/yourvpnport. Of course, that will only be fine if you are not running a DNS server on the VPN box.

Hi.
They are certanly using private range for their machines. But their network admins doesn't allow me to specify the real public destination IP (of my server). They are enforcing the NAT from the very beginnng of the connection. The ports are surely allowed, as I see the connections arriving on my server. But it seems openvpn is misundertanding the packets, maybe because it expects to see it's own IP, but is seeing instead the NATed IP from my client's LAN.

These statements are a bit contradictory. How are the packets arriving at your machine if the client can't specify your IP address? Where is the translation from 172.xxxxx to 2xx.xxxxx happening?

Inside their "blackbox" firewall/routers. I really can't figure out why, too.
I'm just trying to discover whether OpenVPN can work with that, because another VPN program which runs on the same machine and suffer the same kind of NAT (although from a different LAN IP to a different public IP) is working. And a telnet session that needs to use a third NAT to a third public IP is working too.

I must be misunderstanding something. You say that your client's config specifies your VPN server at 172.xxxxxxx. How are the packets arriving at your server which is at 2xx.xxxxxxx? There is no magic or mindreading in a router. How does the company's router know to translate any outgoing connection to 172.xxxxxx to a connection to 2xx.xxxxxxxx?

You get it right! That "magic" is the thing I want to understand too. I don't know why nor how, but the company netadmins are doing it and it works for another two different connections. There's some NAT running at their routers.

Probably I'll need to give up and say to them that OpenVPN doesn't work this way.