Outbound NAT (SNAT) on the tunnel interface is not working

ggriff · March 24, 2020, 07:21:19 AM

What I'm trying to achieve:
Client connected to OpenVPN server can access other machines on the LAN

Status:
VPN Client can connect and the LAN network is pushed to the client.
Routing table is setup correctly on the client 192.168.16.0/24 -> 172.30.10.1

Problem:
When pinging a machine on the LAN network from the VPN Client the
ping reply can't be routed back because the traffic has a source IP of 172.30.10.X
I have enabled outbound NAT'ing on the TAP1 interface but it is not overwriting the source IP?

Main Router
Public IP: 1.2.3.4
Port Forward 1194 to 192.168.12.177

OPNSense Router: OPNsense 20.1.3-amd64
Server Mode: Remote Access (SSL/TLS)
Dev Mode: Tun
Topology: Subnet
WAN   192.168.12.177/24 (GW: 192.168.12.1)
LAN   192.168.16.25/24
TAP1   172.30.10.1/24

Outbound NAT Rule: // Hybrid Outbound NAT
Interface:   TAP1
Source:      172.30.10.0/24
Destination:   LAN net
NAT Address:   LAN Address

Tcpdump –i ovpns1:
16:19:52.669289 IP 172.30.10.2 > 192.168.16.222: ICMP echo request, id 1, seq 1447, length 40
16:19:57.526968 IP 172.30.10.2 > 192.168.16.222: ICMP echo request, id 1, seq 1448, length 40

Can anybody shed some light on this please?

mimugmail · March 24, 2020, 08:36:46 AM

Interface on outbound nat should be LAN, always the leaving interface

ggriff · March 24, 2020, 12:17:24 PM

@mimugmail Thank you very much! This works now!

Strange thing is when I was still running OPNSense v19.7 I tried TAP1 & LAN as interface and neither worked...

Outbound NAT (SNAT) on the tunnel interface is not working

ggriff

March 24, 2020, 07:21:19 AM

mimugmail

March 24, 2020, 08:36:46 AM #1

ggriff

March 24, 2020, 12:17:24 PM #2