1
General Discussion / Outbound NAT from VPN clients
« on: March 17, 2020, 11:02:18 pm »
I have configured site-to-site IPSec from my LAN to specific remote IP on the other end of IPSec tunnel.
From LAN network everything works fine.
I also have OpenVPN clients (road warrior setup) on separate subnet. That OpenVPN subnet (tunnel network) can not access remote IP on the IPSec directly. I can't change IPSec configuration on the other end of the tunnel.
My idea was to try to configure Outbound NAT somehow in order to access remote IP from OpenVPN clients.
I add FW rule in OpenVPN "interface" to allow traffic from OpenVPN subnet to remote IP.
I also add remote IP in OpenVPN server config as "IPv4 Local Network" (/32).
I also add Outbound NAT rule (manual generation) with following parameters:
... but I can't find setup that works. I would like to try to "cheat" IPSec tunnel to allow OpenVPN clients subnet to have access to remote IP, without changing IPSec configuration (I can't change other side of IPSec).
Looking in Firewall log, all attempts to access remote IP from OpenVPN subnet goes to WAN interface.
Any idea ? Is it possible at all ?
From LAN network everything works fine.
I also have OpenVPN clients (road warrior setup) on separate subnet. That OpenVPN subnet (tunnel network) can not access remote IP on the IPSec directly. I can't change IPSec configuration on the other end of the tunnel.
My idea was to try to configure Outbound NAT somehow in order to access remote IP from OpenVPN clients.
I add FW rule in OpenVPN "interface" to allow traffic from OpenVPN subnet to remote IP.
I also add remote IP in OpenVPN server config as "IPv4 Local Network" (/32).
I also add Outbound NAT rule (manual generation) with following parameters:
- Interface : LAN (also tried OpenVPN and IPSec interfaces
- Source address : OpenVPN subnet (tunnel network)
- Destination address : Remote IP address
- Translation/target : LAN address (also tried Interface address)
... but I can't find setup that works. I would like to try to "cheat" IPSec tunnel to allow OpenVPN clients subnet to have access to remote IP, without changing IPSec configuration (I can't change other side of IPSec).
Looking in Firewall log, all attempts to access remote IP from OpenVPN subnet goes to WAN interface.
Any idea ? Is it possible at all ?