OpenVPN (easymode) with double NAT

gbaiocco · March 23, 2019, 1:16pm

Hi, I’m trying to understand if it’s possible and where do I need to configure an additional route to allow me to reach within the established tunnel, my Lan subnet.

public IP -> ISP router 192.168.1.0/24 —> Turris LAN 10.0.112.0/24

Client config generated was edited to reflect true public IP (instead of prefilled 192…).

Openvpn client is getting the default 10.111.111.0 subnet assigned.

But I guess now I will have to instruct client/server to be able to reach LAN via “ISP subnet”.

Any suggestions would be welcome… thanks!

RomanHK · March 23, 2019, 2:10pm

Double NAT? there are always problems with that. I don’t have it tested, but you can try it.

It should be like this:
public IP -> (WAN) ISP router, static IP and forwarding port (LAN) 192.168.1.0/24 -> 192.168.1.2 (WAN) Turris, OpenVPN server (LAN) 10.0.112.0/24

First, you must make a static reservation on the ISP router so that Turis always gets the same IP on the Turis WAN port (192.168.1.2).
then you will make port forwarding (UDP 1194) from the public IP on the LAN (192.168.1.2) in the ISP router.
Configure the OpenVPN server in Turis so that clients can connect in a standard way.
Configure the client to connect to the public IP

I have not tested it, so it may not work for the first time, sorry in advance.

gbaiocco · March 23, 2019, 3:46pm

Hi Roman. Thanks for the info.
Yes I exactly did all the steps you listed. the ISP router is reserving always the same DHCP IP to to Omnia (else most of my FW “double” forwarded ports” would not work if this IP would suddenly change).
I accepted all default config for the easymode scripts.

**Current settings**
Network: 10.111.111.0/24
Device: tun_turris
Port: 1194
Route: 10.0.112.0/24

I noticed the changes in luci (nw interfaces,rules,etc). They seem fine to me.
I am just not understanding where and how with these default configs, the vpn subnet would be allowed to route to the lan subnet. Found the server vpn config in etc/config/openvpn and it lists this which to me seems fine. It is also added to the client when checking logs:

etc/config/openvpn subnet entry:

  	list push 'route 10.0.112.0 255.255.255.0'

client config log:

2019-03-23 13:36:07 NIP: adding IPv4 address to network settings     10.111.111.6/255.255.255.252
2019-03-23 13:36:07 NIP: adding (included) IPv4 route 10.111.111.4/30
2019-03-23 13:36:07 NIP: adding (included) IPv4 route 10.0.112.0/24
2019-03-23 13:36:07 NIP: adding (included) IPv4 route 10.111.111.1/32
2019-03-23 13:36:07 Connected via NetworkExtensionTUN
2019-03-23 13:36:07 LZO-ASYM init swap=0 asym=1
2019-03-23 13:36:07 Comp-stub init swap=1
2019-03-23 13:36:07 EVENT: CONNECTED x.x.x.x:1194 (x.x.x.x) via /UDPv4 on     NetworkExtensionTUN/10.111.111.6/ gw=[/]
2019-03-23 13:36:20 NIP: iOS reported network status unavailable
2019-03-23 13:36:20 OS Event: NET UNAVAILABLE (PAUSE): Internet:NotReachable/-R tc-----
2019-03-23 13:36:20 UDP send exception: SYSTEM/Can't assign requested address
2019-03-23 13:36:20 Transport Error: EADDRNOTAVAIL: Can't assign requested address
2019-03-23 13:36:20 EVENT: TRANSPORT_ERROR EADDRNOTAVAIL: Can't assign requested address [ERR]
...

I wonder where and why these two smaller subnets are added instead of just the /24
NIP: adding (included) IPv4 route 10.111.111.4/30
NIP: adding (included) IPv4 route 10.111.111.1/32

FW config:

config zone 'vpn_turris'
option enabled '1'
option name 'vpn_turris'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
list network 'vpn_turris'

config rule 'vpn_turris_rule'
option enabled '1'
option name 'vpn_turris_rule'
option target 'ACCEPT'
option proto 'udp'
option src 'wan'
option dest_port '1194'

config forwarding 'vpn_turris_forward_lan_in'
option enabled '1'
option src 'vpn_turris'
option dest 'lan'

config forwarding 'vpn_turris_forward_lan_out'
option enabled '1'
option src 'lan'
option dest 'vpn_turris'

config forwarding 'vpn_turris_forward_wan_out'
option enabled '0'
option src 'vpn_turris'
option dest 'wan'

Is everyone able to “bridge” their ISP router so easily or why isn’t anyone having trouble with double NAT configurations?

RomanHK · March 23, 2019, 4:29pm

This is done by a client with iOS (Accessing local LAN through OpenVPN. - OpenVPN Support Forum) - check the client configuration.

So to understand. You get to the VPN server and then it interrupts you? is the VPN connection activity visible in the Turis log?

gbaiocco · March 23, 2019, 5:23pm

It connects just fine but then it cannot seem to reach anything else.

All i can find as far as logs on the server side is the openvpn-status.log

OpenVPN CLIENT LIST
Updated,Sat Mar 23 18:16:31 2019
Common Name,Real Address,Bytes Received,Bytes Sent,Connected    
iphone,x.x.x.x:60993,2898,4180,Sat Mar 23 18:15:08 2019
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.111.111.6,iphone,x.x.x.x:60993,Sat Mar 23 18:15:10 2019
GLOBAL STATS
Max bcast/mcast queue length,0
END

RomanHK · March 23, 2019, 7:25pm

Okay, so you connect to the server. The error looks at the client side.
Try another version or another client. I will not advise you better, personally I use a Windows client.
Also try asking the OpenVPN Forum (https://forums.openvpn.net)

Here’s what to talk about:
https://forums.openvpn.net/viewtopic.php?t=25587&start=60
https://community.openvpn.net/openvpn/ticket/1066

(maybe a problem in UDP, try TCP)