OpenVPN: Masquerading

    • OMV 3.x

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • OpenVPN: Masquerading

      Hello,

      I have installed the OpenVPN Plugin for OMV 3.0 and I could connect from a remote site to the site with OMV successfully. However I realized quickly that some of my internal/remote network resources, especially my DNS server and also internet access was not available until I ran the following command:

      Shell-Script

      1. iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
      (I have put this line in iptables-persistent file and load iptables-restore in /etc/rc.local).

      I have read on other forums regarding similar issues that it is quite normal to enable masquerading when using OpenVPN.
      Is there any downside for enabling masquerading or is there a reason that the plugin doesn't do it automatically?

      I would like to understand if what I did is an exceptional case or if it is common and necessary in all cases and a normal procedure.

      Some background: Both the remote and local site do have the same subnet (192.168.1.0), which are not ideal (I know but I can't change any network).
    • This is necessary in case you don't have the option of adding a static route in your router. Most house-residential isp provided modem-routers don't have this option.
      If you can a static route (and no masquerade) in the router then packets will exit the vpn server using the source address of the vpn subnet (masquerade will change the address to the lan ip server) and when they hit a lan client these clients will now (because of the router) see that the vpn subnet is located at the Omv server so they can establish communication.


      Just do a simple experiment, delete the masquerade rule and start pinging from a vpn client to a lan client laptop for example. In the laptop initiate tcpdump or wire shark and you will see the incoming ping request (source address of vpn subnet) and the reply. The reply will hit the router were it will get lost as it doesn't know where this subnet is located.
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server
    • Basically omv-openvpn do the jobs for you (don't need masquerade) since it add SNAT routing rules

      SNAT and masquerade are similar except that SNAT works with static IP, msquerade can works with dynamic ip

      But, for home users, most user uses dynamic IP, so omv-openvpn cannot route your internet packet whenever ip is changed
      so check `iptables -t nat -L` to see how your SNAT rule is set and check your current ip using ifconfig
      and ensure both ip are same
      OMV3 on Proxmox
      Intel E3-1245 v5 | 32GB ECC RAM | 4x3TB RAID10 HDD
      omv-zfs | omv-nginx | omv-letsencrypt | omv-openvpn
      Click link for more details

      The post was edited 1 time, last by luxflow ().

    • Yes, I have seen the SNAT rules before I used iptables-save:

      Source Code

      1. Chain PREROUTING (policy ACCEPT)
      2. target prot opt source destination
      3. Chain INPUT (policy ACCEPT)
      4. target prot opt source destination
      5. Chain OUTPUT (policy ACCEPT)
      6. target prot opt source destination
      7. Chain POSTROUTING (policy ACCEPT)
      8. target prot opt source destination
      9. MASQUERADE all -- 10.8.0.0/24 anywhere
      10. SNAT all -- 10.8.0.0/24 anywhere to:192.168.1.10
      11. SNAT all -- 10.8.0.0/24 anywhere to:192.168.1.10
      12. SNAT all -- 10.8.0.0/24 anywhere to:192.168.1.10
      Display All
      192.168.1.10 is my OpenVPN/OMV server.
      I don't know why the SNAT rules are in this list three times. Can I savely delete two of them?
    • issue three times below command to remove all SNAT rules
      `iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -j SNAT --to 192.168.1.10`
      or
      `iptables -t nat -D POSTROUTING 2` means delete second rule
      `iptables -t nat -D POSTROUTING 3`
      `iptables -t nat -D POSTROUTING 4`



      your iptables is set to always uses MASQURADE rules first
      and uses SNAT rules second third, fourth

      what is your output `ifconfig eth0`
      OMV3 on Proxmox
      Intel E3-1245 v5 | 32GB ECC RAM | 4x3TB RAID10 HDD
      omv-zfs | omv-nginx | omv-letsencrypt | omv-openvpn
      Click link for more details

      The post was edited 1 time, last by luxflow ().

    • If I issue the command twice then my POSTROUTING chain just grows:

      Source Code

      1. Chain PREROUTING (policy ACCEPT)
      2. target prot opt source destination
      3. Chain INPUT (policy ACCEPT)
      4. target prot opt source destination
      5. Chain OUTPUT (policy ACCEPT)
      6. target prot opt source destination
      7. Chain POSTROUTING (policy ACCEPT)
      8. target prot opt source destination
      9. MASQUERADE all -- 10.8.0.0/24 anywhere
      10. SNAT all -- 10.8.0.0/24 anywhere to:192.168.1.10
      11. SNAT all -- 10.8.0.0/24 anywhere to:192.168.1.10
      12. SNAT all -- 10.8.0.0/24 anywhere to:192.168.1.10
      13. SNAT all -- 10.8.0.0/24 anywhere to:192.168.1.10
      14. SNAT all -- 10.8.0.0/24 anywhere to:192.168.1.10
      Display All
      I understand that since MASQUERADE is first it has precedence before SNAT. What I didn't mention in my previous post: I have a WRT-firmware on my router (Asuswrt-merlin) and I think I can add a static route in there. So after I have observed the packets as mentioned by subzero79 I will add a static route and remove the MASQUERADE line - hence I will only have the SNAT rules anymore :)

      Could it be that since I have installed iptables-persistent the SNAT rule will be added on every boot? I think if that is the case, I'll have to remove the SNAT rules from my iptables-persistent config file.


      EDIT: ifconfig eth0:

      eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
      inet addr:192.168.1.10 Bcast:192.168.1.255 Mask:255.255.255.0
      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
      RX packets:121960352 errors:0 dropped:0 overruns:0 frame:0
      TX packets:35165756 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:181307377105 (168.8 GiB) TX bytes:18499311834 (17.2 GiB)
      Memory:df300000-df37ffff
    • sorry I give wrong information check again my previous post
      not
      `iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 192.168.1.10` to add
      but
      `iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -j SNAT --to 192.168.1.10` to delete

      (A,D changed)


      @florianb
      SNAT rules are automatically added by omv-openvpn you up your interface
      so don't need to add iptables-persistent config file.
      remove all is ok

      for your environment
      you should have two NAT
      first is 10.8.0.0 <-> 192.168.1.10 <-> internet IP
      router do NAT for 192.168.1.10 <-> internet IP (they uses masqurade here since most isp uses dynamic ip)
      but OMV should do NAT for 10.8.0.0 <-> 192.168.1.10 (masqurade or snat)



      don't know why your SNAT rules was't working
      and masqurade worked, as I know your two rules(masqurade,snat) are same
      OMV3 on Proxmox
      Intel E3-1245 v5 | 32GB ECC RAM | 4x3TB RAID10 HDD
      omv-zfs | omv-nginx | omv-letsencrypt | omv-openvpn
      Click link for more details

      The post was edited 4 times, last by luxflow ().

    • Thanks, I have removed two of three SNAT rules and also removed the MASQUERADE rule.
      Additionally, I uninstalled iptables-persistent, which I installed manually and also removed the iptables-restore line from /etc/rc.local
      But after rebooting OMV I had again three SNAT rules in iptables =O Is the rule added for every interface that exists on the system? Because I have exactely three interfaces (included the tun0 device from OpenVPN). It doesn't hurt to have them there, just would like to have confirmed this looks normal to you guys too.

      What is weird now is that when connected over VPN all my browsers (Chrome, Edge, Firefox) are able to load all web resources (internet & local web pages). Also I can access my SMB share through windows explorer. I swear it wasn't working before I had added the MASQUERADE rule. I am puzzled why it does work now ?(

      The only thing not working now when connected through VPN is that nslookup in command line can not resolve any name. nslookup tries to use the dns server of the remote ISP (the one it would use when not connected through VPN) instead of using the local one (in the network of my OMV).

      I thought the DNS server of the interface the traffic is flowing through was used. Is that not the case for MS nslookup?

      ipconfig shows, that my local ethernet adapter has the local ISP DNS server IP set.
      the isatap tunnel adapter has my OMV-network DNS server set (which is the one i want to use). Could this be a route problem on my client?
    • florianb wrote:

      But after rebooting OMV I had again three SNAT rules in iptables Is the rule added for every interface that exists on the system? Because I have exactely three interfaces (included the tun0 device from OpenVPN). It doesn't hurt to have them there, just would like to have confirmed this looks normal to you guys too.
      yes you're right it seems bug, iptables rules is applied multiple (number of interfaces) which should be applied once
      I will open issues for this isseus (and also suggest plugin developer to use masquerade instread of SNAT)


      florianb wrote:

      What is weird now is that when connected over VPN all my browsers (Chrome, Edge, Firefox) are able to load all web resources (internet & local web pages). Also I can access my SMB share through windows explorer. I swear it wasn't working before I had added the MASQUERADE rule. I am puzzled why it does work now
      as I stated above,

      luxflow wrote:

      SNAT and masquerade are similar except that SNAT works with static IP, msquerade can works with dynamic ip

      But, for home users, most user uses dynamic IP, so omv-openvpn cannot route your internet packet whenever ip is changed
      My guess is that omv-openvpn plugin set 192.168.1.10 but your omv server ip was something other than 192.168.1.10 due to dhcp, so NAT didn't work that time (this is my guess I don't know why it was)
      so I recommend set your ip (192.168.1.10) static, but also beware of your router not to assign that static ip for other devices (ip collision)
      OMV3 on Proxmox
      Intel E3-1245 v5 | 32GB ECC RAM | 4x3TB RAID10 HDD
      omv-zfs | omv-nginx | omv-letsencrypt | omv-openvpn
      Click link for more details
    • I haven't figured out what caused the misbehaving. What came to my mind is that it could have been caused by DNS caching or similar.

      It works very stable right now. What I did:

      1) Added a static route on my router: 10.8.0.0/24 is on gateway 192.168.1.10 (my OMV/OpenVPN instance).
      2) Added push "route 192.168.1.0 255.255.255.0" in OpenVPN extra options. This rule is created on the client then with metric 35 and is therefore lower than my other existing/local rule of the local network.
      My clients routes when connected through VPN are then:

      Source Code

      1. Network Destination Netmask Gateway Interface Metric
      2. 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.60 35
      3. 0.0.0.0 128.0.0.0 10.8.0.5 10.8.0.6 35
      4. 10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 35
      5. ...
      6. 128.0.0.0 128.0.0.0 10.8.0.5 10.8.0.6 35
      7. 192.168.1.0 255.255.255.0 On-link 192.168.1.60 291
      8. 192.168.1.0 255.255.255.0 10.8.0.5 10.8.0.6 35
      DNS resolution is instant and all network resources, be it on the local network or on the vpn network, are working just fine.