WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

Access OpenVPN's server LAN via NAT

0 votes
1,552 views 2 comments
by

Hello! I hope you are all doing well and I want to see if someone can shed some light in this issue I'm having.

From the documentation, it isn't clear to me how to proceed that's why I decided to ask a question.

I have the following setup:

LAN (192.168.1.X/24) <-> RUT240 (192.168.1.9/24) (OpenVPN server 172.42.0.0/24) <-> Internet <-> OpenVPN client (172.42.0.6/24)

My desire is simple: I want to be able to ping 192.168.1.X/24 range from 172.42.0.X/24 range NATing in 192.168.1.9.

To clarify even more with an example: I want to ping 192.168.1.11 from 172.42.0.6; 192.168.1.11 must receive the ICMP request from 192.168.1.9, 192.168.1.9 will have the reply from 192.168.1.11 and answer back to 172.42.0.6. And old as hell simple NAT, but just to be clear in what I want :-D

After reading the RUT240 documentation it's still yet not clear to me how to do this.

Once I've setup my OpenVPN server and pushed 192.168.1.0 routes to clients (via client config) I thought I had to do nothing more since I saw the following info in the Zone Forwarding config:

Which I understand as "all packets from OpenVPN interface going to LAN destination are forwarded with Masquerade (NAT)"

My general settings are:

I SSH'ed into RUT240 and executed:

iptables -t nat -L -n

I had in the output:

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination         

postrouting_rule  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for postrouting */

zone_lan_postrouting  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

zone_wan_postrouting  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

zone_wan_postrouting  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

zone_vpn_postrouting  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

zone_l2tp_postrouting  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

zone_l2tp_postrouting  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

zone_pptp_postrouting  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

zone_gre_postrouting  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

zone_hotspot_postrouting  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

zone_hotspot_postrouting  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

zone_hotspot_postrouting  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

zone_hotspot_postrouting  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

zone_sstp_postrouting  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

zone_zero_postrouting  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_vpn_postrouting (1 references)

target     prot opt source               destination         

postrouting_vpn_rule  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for postrouting */

MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

With that in mind, shouldn't the RUT240 be making the desired NAT already? What's missing?

Many thanks in advance!!

1 Answer

0 votes
by anonymous

Hello,

I think you just need to add masquarade to LAN.

All packets going to OpenVPN interface are NAT'ed.

Which I understand as "all packets from OpenVPN interface going to LAN destination are forwarded with Masquerade (NAT)"

Best answer
by

Thanks a lot for your time to answer Simonas :-D

Indeed, your provided solution worked, once I activated such option I could ping the 192.168.1.0/24 range NATing with RUT240's LAN IP.
Still not clear to me why this was mandatory. If you have the chance to answer could you please elaborate on your answer? I'd be very grateful!

I also had in my RUT240 the "zero" destination for such option (see below)

Does it means 0.0.0.0? 

by anonymous
Masquerade is working on POSTROUTING chain.

It means that when you mark masquerading flag, packets leaving router in that zone are NAT'ed.

So if you ping from LAN to subnet in VPN (192.168.1.1 -> 172.42.0.6) NAT'ing occurs at VPN zone and leave router with 172.42.0.1->172.42.0.6

In your case you are pinging from 172.42.0.6->192.168.1.x, so packets are leaving router from LAN zone. And masquerading at LAN makes this 192.168.1.9->192.168.1.x

"zero" destination is name of zone. It does not mean 0.0.0.0 . There is some mistake I think.