Community discussions

MUM Europe 2020
 
bitmage
just joined
Topic Author
Posts: 4
Joined: Sun Jul 01, 2018 5:25 am

OpenVPN clients accessing servers with hairpin nat

Thu Nov 28, 2019 4:42 am

My current router setup has several servers behind it that are exposed to the internet with port forwards. Internal users are able to access these servers with hairpin nat rules that redirect the traffic back. All of that works fine.

I'm now trying to add a OpenVPN configuration. OpenVPN clients are assigned addresses from a separate pool. When the OpenVPN clients connect, they are able to access internet and internal resources through the VPN. But attempts to hit forwarded services at the router's external address fail. I've created a src-nat masquerade rule for the OpenVPN address pool range, and tried adding dst-nat rules for the exposed servers without success.

Is it possible to make this work? Both the OpenVPN endpoint and the external address the port forwards are off of is the same, ex:
OpenVPN external endpoint is my.dynamic.addr 1194
Backend server is port forwarded from my.dynamic.addr 80
Internal users connecting to my.dynamic.addr 80 work fine, but OpenVPN clients cannot.
 
sindy
Forum Guru
Forum Guru
Posts: 4193
Joined: Mon Dec 04, 2017 9:19 pm

Re: OpenVPN clients accessing servers with hairpin nat

Sat Nov 30, 2019 5:53 pm

I'm afraid it's a matter of how routing is set up at the OpenVPN clients.

On Mikrotik, any point-to-point tunnel which is made the default gateway for all traffic stops working as soon as it comes up because the router starts sending that tunnel's transport packets via the tunnel itself. So you have to manually configure a routing exception so that the transport packets of the tunnel would use some other route than the default one.

On various other systems, the same situation is addressed silently, without the user to have to care about it. This is convenient for users who don't understand the details, but the drawback is that you don't know what exactly the system does to address this. So if in case of your OpenVPN client, a special route towards the address of the OpenVPN server via the previous default gateway is added automatically once the tunnel gets up and before a new default route through the tunnel is installed, that special route will also be used for any other packet the client sends to that IP address. On Mikrotik, as you take the measures yourself, you may use policy routing to only use the previous gateway for OpenVPN transport packets, but let any other traffic to the OpenVPN server's public IP be routed via the tunnel. As the client is not Mikrotik, you have to find out how exactly it makes the transport packets use the old gateway and whether you can affect that behaviour.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
bitmage
just joined
Topic Author
Posts: 4
Joined: Sun Jul 01, 2018 5:25 am

Re: OpenVPN clients accessing servers with hairpin nat

Sun Dec 01, 2019 8:56 pm

Thanks. I was able to configure the client to bypass the VPN tunnel for the affected domains.

Who is online

Users browsing this forum: Google [Bot] and 93 guests