OpenVPN when accessing proxy server in LAN it sees the remote intenet IP

[K2Van]

I run an OpenVPN server instance, can connect and access both the local LAN and internet trough the VPN.

In the LAN I run an Nginx proxy server where certain services are limited to the local LAN. When connecting to the LAN via OpenVPN I can however not connect to the services that are limited to the local LAN (403 forbidden error) as it sees the remote internet IP instead of the VPN IP (I have set the VPN IP range set as allowed in Nginx proxy manager). The Nginx proxy manager logs show the remote internet IP.

Connecting directly to the IP:port of the proxied services does work as the VPN is functional. The services that are exposed to the internet can be accessed trough the proxy server as usual.

Is there a specific setting in OpenVPN to make it report the VPN IP?

[Saarbremer]

From the lack of information you provided here I could guess that you're using public DNS to connect to your proxy which resolves to the WAN IP and results in 403 due to NAT on the client's side. When you use the local IP of nginx you're routed through the tunnel and due to missing NAT everything works.

But again, I might be wrong as you do neither describe IP ranges, possible DNS resolutions nor IP protocols involved.

[K2Van]

It would help if I had a better idea where to start searching as that might give more detail but I lack knowledge here... Anyway I will try to answer your questions.

I am using ipv4 only, the vpn sends all traffic trough the tunnel. Hence the router's DNS is accessed by the VPN client (verified the log entries on the OPNsense box).
The proxy server uses my domain name to send traffic to the respective services. I want to be able to connect to the subdomains that are LAN only by connecting the VPN and tunneling traffic. The proxy server has the openVPN address range in it's allowed addresses. This has worked when I used a Raspberry to run the OpenVPN server and post routed the traffic on the rpi such that the IP the traffic came from was the rpi's lan address.

When I connect to the proxy (which is on the local LAN) from the internet a few services have their setting to allow incoming WAN connections and those are served. All other services are set to LAN + OpenVPN only and get a 403 as intended.

When I connect trough the OpenVPN tunnel I can access the services that are allowed from WAN but not the ones allowed from LAN only, these still get a 403.
The Unbound logs show the request with the clients VPN IP address as the source.
The logs of the Nginx proxy server show the WAN address from the location I al at even though I am connecting trough the VPN tunnel.
When i connect a service on the internet at the same time (myIP.com) this one shows my outgoing home WAN address and not the remote WAN address I am at. Hence traffic is routed trough the tunnel.

I can connect to all services when using their IP or .home.arpa addresses further confirming the connection trough the VPN is active.

I just realize I do set a bunch of headers on the proxy server:
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host $http_host;
    proxy_set_header X-Forwarded-Uri $request_uri;
These might well be overkill and cause the VPN to give the client IP instead of the VPN IP.

[viragomann]

The Unbound logs show the request with the clients VPN IP address as the source.
The logs of the Nginx proxy server show the WAN address from the location I al at even though I am connecting trough the VPN tunnel.

Yeah, so the requested host probably resolves to the WAN IP. But the WAN IP, which is the VPN client connected to is not routed via the VPN and cannot be due to plausible reasons.

Add host overrides for your services to your local DNS, so that the DNS server provides the local LAN IPs to the VPN clients.

[K2Van]

It seems my last post did not get actually posted...

When I run the exact same client export file on my Android phone (using the official OpenVPN connect app) I do get the behavior I expect: The DNS server logs the request as coming from the VPN address (as in the case when the connection comes from the laptop) and the Nginx proxy server also sees the VPN IP as incoming connection and hence serves the requested service (which is not served from the laptop as the proxy sees the laptop's WAN IP).

Is it possible that the laptop is only sending DNS trough the VPN and the actual traffic over internet? I do have redirect gateway set to default and push block outside dns and register dns all set. and the local lan ip is set too. When I play a YouTube it seems like the WiFi traffic in task manager and the traffic in OpenVPN Connect match hence traffic seems to go trough the tunnel.

The above contradicts your quote as far as I can judge. Can you explain what you mean by plausible reasons? I don't understand the bit "the WAN IP is not routed to the VPN".

Yeah, so the requested host probably resolves to the WAN IP. But the WAN IP, which is the VPN client connected to is not routed via the VPN and cannot be due to plausible reasons.

Using the local DNS is not really a solution as not all services run on port 443 (for instance a Synology service page).

I do see a few things in the routing table on the laptop i don't understand:

Code: [Select]

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0  192.168.101.227  192.168.101.196     50
          0.0.0.0        128.0.0.0      10.10.102.1     10.10.102.66    257
      10.10.102.0    255.255.255.0         On-link      10.10.102.66    257
     10.10.102.66  255.255.255.255         On-link      10.10.102.66    257
    10.10.102.255  255.255.255.255         On-link      10.10.102.66    257
     86.83.115.52  255.255.255.255  192.168.101.227  192.168.101.196    306
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
        128.0.0.0        128.0.0.0      10.10.102.1     10.10.102.66    257
      192.168.1.0    255.255.255.0      10.10.102.1     10.10.102.66    257
    192.168.101.0    255.255.255.0         On-link   192.168.101.196    306
  192.168.101.196  255.255.255.255         On-link   192.168.101.196    306
  192.168.101.255  255.255.255.255         On-link   192.168.101.196    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link      10.10.102.66    257
        224.0.0.0        240.0.0.0         On-link   192.168.101.196    306
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link      10.10.102.66    257
  255.255.255.255  255.255.255.255         On-link   192.168.101.196    306
===========================================================================
Persistent Routes:
  None
192.168.101.196 is my current WiFi IP. 10.10.102.66 is the OpenVPN IP.

[viragomann]

Which IP is the host name you're calling resolved to? The assumption was, to your public WAN IP.

However, the WAN IP is not routed through the tunnel and must not be at all. Since it is the destination of the VPN connection, it's necessary that the route goes over the default WAN gateway. It cannot go through the tunnel, which the client is trying to establish.

[K2Van]

Indeed the hostname resolves to the WAN IP where the OPNsense box routes the traffic and the OpenVPN server runs on.

But why does it work when i use my Android phone (which is on the same hotel network my Laptop is on). The WAN IP the proxy server sees is the WAN IP of the hotel, not the WAN IP of the OPNsense box. Since I see the same data rate on the OpenVPN connect ap as on the WiFi adapter in Windows I assume all traffic goes trough the VPN. For those services that are regularly accessible trough internet I do get access. However for all local LAN only (plus the VPN server's subnet) the proxy logs the WAN IP of the hotel I am at when accessing with the laptop and the OpenVPN IP when accessing with the phone.

Code: [Select]

[26/Sep/2024:15:29:50 +0200] - - 403 - GET https xxx.xxx.xxx "/favicon.ico" [Client 88.25.93.196] [Length 171] [Gzip 3.23] [Sent-to OPNsense.home.arpa] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36" "https://xxx.xxx.xxx"
[26/Sep/2024:15:30:02 +0200] - 200 200 - GET https xxx.xxx.xxx "/" [Client 10.10.102.42] [Length 1114] [Gzip -] [Sent-to OPNsense.home.arpa] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36" "-"

Above are 2 acesses to the Nginx proxy server using the exact same OpenVPN profile. The first is the Laptop showing the hotel's WAN and hence gets a 403, the second the Android phone which shows the VPN IP and is hence passed trough.

And here are the Unbound logs where twice the VPN IP is logged. The only difference I see is twice and A for the laptop and A plus HTTPS for the phone.

Code: [Select]

2024-09-26T15:30:02 Informational unbound [74769:5] info: . transparent 10.10.102.42@2194 xxx.xxx.xxx HTTPS IN
2024-09-26T15:30:02 Informational unbound [74769:1] info: . transparent 10.10.102.42@33102 xxx.xxx.xxx. A IN
2024-09-26T15:29:45 Informational unbound [74769:7] info: . transparent 10.10.102.15@58573 xxx.xxx.xxx. A IN
2024-09-26T15:29:44 Informational unbound [74769:5] info: . transparent 10.10.102.15@55439 xxx.xxx.xxx. A IN

[K2Van]

I read in forums that a user account without admin rights might not be able to do everything as intended on Windows, at least in older OpenVPN versions. I upgraded my account to admin and restarted the laptop but it does not change anything.

[viragomann]

And here are the Unbound logs where twice the VPN IP is logged. The only difference I see is twice and A for the laptop and A plus HTTPS for the phone.

Code: [Select]

2024-09-26T15:30:02 Informational unbound [74769:5] info: . transparent 10.10.102.42@2194 xxx.xxx.xxx HTTPS IN
2024-09-26T15:30:02 Informational unbound [74769:1] info: . transparent 10.10.102.42@33102 xxx.xxx.xxx. A IN
2024-09-26T15:29:45 Informational unbound [74769:7] info: . transparent 10.10.102.15@58573 xxx.xxx.xxx. A IN
2024-09-26T15:29:44 Informational unbound [74769:5] info: . transparent 10.10.102.15@55439 xxx.xxx.xxx. A IN

Are you sure, that the request are from different clients?

I'd suspect, that the browser on your laptop requests a public DNS and hence gets the public WAN address.
You can verify this by entering into the browsers debugging mode (F12). Go to network analyze and enable the server IP column.

[K2Van]

I double checked the Unbound logs, the entry is indeed showing the VPN IP of the laptop. I checked a different subdomain that was not accessed for a while and it shows up with the Laptop VPN IP too.

For the browser debug I assume you mean the "remote address" in the network tab. That lists the OPNsense WAN address. It should do so  assume as that is the DNS IP for this URL.

[K2Van]

I got the android debugging tools going and indeed it also lists the WAN IP of OPNsense as remote addres.

[K2Van]

A little further analysis shows that the main traffic is probably not tunneled but he DNS is.  A traceroute shows that the system name of the hotel router is resolved without VPN but not with VPN. In both cases all intermediate hops show up which should not be visible with VPN on.

No PN

Code: [Select]

  1  1757 ms   308 ms    11 ms  hsjameosplaya.net [172.16.0.1]
  2   283 ms    33 ms   444 ms  192.168.144.1
  3    20 ms   208 ms    23 ms  229.red-81-41-250.staticip.rima-tde.net [81.41.250.229]
  4   185 ms   864 ms   185 ms  254.red-81-41-250.staticip.rima-tde.net [81.41.250.254]
with VPN, the domainname of the first hop is missing

Code: [Select]

  1    89 ms    13 ms   199 ms  172.16.0.1
  2    16 ms    95 ms    21 ms  192.168.144.1
  3   438 ms   273 ms   925 ms  229.red-81-41-250.staticip.rima-tde.net [81.41.250.229]
  4  1994 ms  1068 ms   501 ms  254.red-81-41-250.staticip.rima-tde.net [81.41.250.254]
When plying a YT a watching the data going in and out in both task manager and OpenVPN connect the same wave form is shown albeit 1000 times less in the VPN than task mnager.

[K2Van]

I solved the issue in a way I did not expect. I was looking at Tailscale as alternative to OpenVPN and they advised to setup overrides in the Unbound DNS server. After doing so the reported IP is now the OpenVPN IP and no longer the remote WAN IP. I can thus access the services as intended now.

[viragomann]

Yeah, I recommended this in my very first post. Don't know, why you didn't obey this advice.

[K2Van]

Because i simply didn't understand what you wrote. I have some basic knowledge scraped from internet but no real understanding even what to be terms mean... I continued searching and finally found the answer. From what I understand it has to do with SNAT and differs between router softwares how this is handled. I come from a Ubiquity setup where this worked "out of the box" as they handle to things differently. Will need to read up a bit to grasp this.