FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

12086 questions

14384 answers

22686 comments

36291 members

0 votes
128 views 2 comments
by

I have a network set up like this, with hundreds of RUT-950s (all using the same network set up (192.168.1.x) connecting to an OpenVPN server.

I can get the tunnel set up OK and the NAT working for 'normal' internet traffic, but can't figure out how to get a NAT working on the VPN tunnel to connect to the "service". Does anyone know how to get this set up working? 

I don't even seem to be able to get the RUT to forward traffic to the VPN interface without enabling forwarding on a global firewall level.

1 Answer

0 votes
by

Hi,

Could you provide some additional details regarding your topology?  Are you wanting all network traffic to flow through the VPN tunnel and then routed out to the internet from the VPN server or routed to the “service”?  Is the OpenVPN Server a Teltonika router or do you have control over its VPN configurations? 

Traffic across the VPN tunnel from one private IP subnet to anther private IP subnet does not necessarily need to have NAT applied unless they are the same subnets.  You mentioned you have several routers configured with the same subnet, are they all connecting to this VPN Server? 

It may be that all traffic is going out to the internet before reaching the tunnel.  Do you have routes configured to reach the Lan subnet the “service” is connected to?  Could you provide troubleshoot file for the Teltonika router?

Regards,

Jeremy

by

> Are you wanting all network traffic to flow through the VPN tunnel and then routed out to the internet from the VPN server or routed to the “service”? 

No, just these specific (private IP addresses)

Is the OpenVPN Server a Teltonika router or do you have control over its VPN configurations? 

It's an OpenVPN server that I control

> Traffic across the VPN tunnel from one private IP subnet to anther private IP subnet does not necessarily need to have NAT applied unless they are the same subnets.  You mentioned you have several routers configured with the same subnet, are they all connecting to this VPN Server? 

Yes, they all connecting identically with the same IP addresses on the LAN.

It may be that all traffic is going out to the internet before reaching the tunnel.  Do you have routes configured to reach the Lan subnet the “service” is connected to?  

I appears to be rejected coming from the LAN interface on the router.

> Could you provide troubleshoot file for the Teltonika router?

Sorry, I've reset it several times since.
I did get it working using these commands for a little bit:  https://community.teltonika-networks.com/49007/rut300-can-do-two-way-nat?show=49007#q49007
But once I reset the router, I lost whatever other config I had set up to get it working. I think it's to do with the zones and the vpn "interface" I had set up.
by

Hi,

Here is a link that is a very good resource for setting up OpenVPN.

https://openvpn.net/community-resources/expanding-the-scope-of-the-vpn-to-include-additional-machines-on-either-the-client-or-server-subnet/

On the OpenVPN server you need to have the command (push “route 172.16.x.y 255.255.x.x”).   This will allow the communication from your client LANs to the Service LAN.  The link provides some additional insight into creating routes from the service LAN to the client LAN.

I would also suggest changing the Lan interfaces subnet to a unique subnet for each tunnel to stop any routing issues.

In the RUT950 device, when you set up the OpenVPN client, Services-VPN-OpenVPN, if you select TUN (tunnel) mode by TUN/TAP option, then you will have the option to add the remote network IP address (the service subnet) and netmask.  This will create a route through the tunnel to that remote LAN.  Here is a link for additional information.

https://wiki.teltonika-networks.com/view/RUT950_VPN#OpenVPN_Client

Also, is there a reason you chose to leave the Lan interfaces the same on each Router?  If so, you could try to use TAP (bridged) mode.  Not knowing the setup for your OpenVPN server, you would also need to change it to TAP (bridged) mode and enable a DHCP server on the server side.  The link I provided to OpenVPN.net provides some additional information regarding some additional requirements.  Here is another link that may help with the Bridged mode.

https://wiki.teltonika-networks.com/wikibase/index.php?title=OpenVPN_configuration_examples&mobileaction=toggle_view_desktop

 

Regards,

Jeremy