OpenVPN: Masquerading

  • Hello,


    I have installed the OpenVPN Plugin for OMV 3.0 and I could connect from a remote site to the site with OMV successfully. However I realized quickly that some of my internal/remote network resources, especially my DNS server and also internet access was not available until I ran the following command:


    Bash
    iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

    (I have put this line in iptables-persistent file and load iptables-restore in /etc/rc.local).


    I have read on other forums regarding similar issues that it is quite normal to enable masquerading when using OpenVPN.
    Is there any downside for enabling masquerading or is there a reason that the plugin doesn't do it automatically?


    I would like to understand if what I did is an exceptional case or if it is common and necessary in all cases and a normal procedure.


    Some background: Both the remote and local site do have the same subnet (192.168.1.0), which are not ideal (I know but I can't change any network).

    • Official Post

    This is necessary in case you don't have the option of adding a static route in your router. Most house-residential isp provided modem-routers don't have this option.
    If you can a static route (and no masquerade) in the router then packets will exit the vpn server using the source address of the vpn subnet (masquerade will change the address to the lan ip server) and when they hit a lan client these clients will now (because of the router) see that the vpn subnet is located at the Omv server so they can establish communication.



    Just do a simple experiment, delete the masquerade rule and start pinging from a vpn client to a lan client laptop for example. In the laptop initiate tcpdump or wire shark and you will see the incoming ping request (source address of vpn subnet) and the reply. The reply will hit the router were it will get lost as it doesn't know where this subnet is located.

  • Thanks for your answer. I will try it out as soon as possible. I am no network professional so it is good to get some background information.


    luxflow: Yes I have enabled that all traffic should be redirected through the VPN server (Which is what I want).

  • Basically omv-openvpn do the jobs for you (don't need masquerade) since it add SNAT routing rules


    SNAT and masquerade are similar except that SNAT works with static IP, msquerade can works with dynamic ip


    But, for home users, most user uses dynamic IP, so omv-openvpn cannot route your internet packet whenever ip is changed
    so check `iptables -t nat -L` to see how your SNAT rule is set and check your current ip using ifconfig
    and ensure both ip are same

    OMV3 on Proxmox
    Intel E3-1245 v5 | 32GB ECC RAM | 4x3TB RAID10 HDD
    omv-zfs | omv-nginx | omv-letsencrypt | omv-openvpn
    Click link for more details

    Edited once, last by luxflow ().

  • Yes, I have seen the SNAT rules before I used iptables-save:


    192.168.1.10 is my OpenVPN/OMV server.
    I don't know why the SNAT rules are in this list three times. Can I savely delete two of them?

  • issue three times below command to remove all SNAT rules
    `iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -j SNAT --to 192.168.1.10`
    or
    `iptables -t nat -D POSTROUTING 2` means delete second rule
    `iptables -t nat -D POSTROUTING 3`
    `iptables -t nat -D POSTROUTING 4`




    your iptables is set to always uses MASQURADE rules first
    and uses SNAT rules second third, fourth


    what is your output `ifconfig eth0`

    OMV3 on Proxmox
    Intel E3-1245 v5 | 32GB ECC RAM | 4x3TB RAID10 HDD
    omv-zfs | omv-nginx | omv-letsencrypt | omv-openvpn
    Click link for more details

    Edited once, last by luxflow ().

  • If I issue the command twice then my POSTROUTING chain just grows:


    I understand that since MASQUERADE is first it has precedence before SNAT. What I didn't mention in my previous post: I have a WRT-firmware on my router (Asuswrt-merlin) and I think I can add a static route in there. So after I have observed the packets as mentioned by subzero79 I will add a static route and remove the MASQUERADE line - hence I will only have the SNAT rules anymore :)


    Could it be that since I have installed iptables-persistent the SNAT rule will be added on every boot? I think if that is the case, I'll have to remove the SNAT rules from my iptables-persistent config file.



    EDIT: ifconfig eth0:


    eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
    inet addr:192.168.1.10 Bcast:192.168.1.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:121960352 errors:0 dropped:0 overruns:0 frame:0
    TX packets:35165756 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:181307377105 (168.8 GiB) TX bytes:18499311834 (17.2 GiB)
    Memory:df300000-df37ffff

  • sorry I give wrong information check again my previous post
    not
    `iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 192.168.1.10` to add
    but
    `iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -j SNAT --to 192.168.1.10` to delete


    (A,D changed)



    @florianb
    SNAT rules are automatically added by omv-openvpn you up your interface
    so don't need to add iptables-persistent config file.
    remove all is ok


    for your environment
    you should have two NAT
    first is 10.8.0.0 <-> 192.168.1.10 <-> internet IP
    router do NAT for 192.168.1.10 <-> internet IP (they uses masqurade here since most isp uses dynamic ip)
    but OMV should do NAT for 10.8.0.0 <-> 192.168.1.10 (masqurade or snat)




    don't know why your SNAT rules was't working
    and masqurade worked, as I know your two rules(masqurade,snat) are same

    OMV3 on Proxmox
    Intel E3-1245 v5 | 32GB ECC RAM | 4x3TB RAID10 HDD
    omv-zfs | omv-nginx | omv-letsencrypt | omv-openvpn
    Click link for more details

    Edited 4 times, last by luxflow ().

  • Thanks, I have removed two of three SNAT rules and also removed the MASQUERADE rule.
    Additionally, I uninstalled iptables-persistent, which I installed manually and also removed the iptables-restore line from /etc/rc.local
    But after rebooting OMV I had again three SNAT rules in iptables =O Is the rule added for every interface that exists on the system? Because I have exactely three interfaces (included the tun0 device from OpenVPN). It doesn't hurt to have them there, just would like to have confirmed this looks normal to you guys too.


    What is weird now is that when connected over VPN all my browsers (Chrome, Edge, Firefox) are able to load all web resources (internet & local web pages). Also I can access my SMB share through windows explorer. I swear it wasn't working before I had added the MASQUERADE rule. I am puzzled why it does work now ?(


    The only thing not working now when connected through VPN is that nslookup in command line can not resolve any name. nslookup tries to use the dns server of the remote ISP (the one it would use when not connected through VPN) instead of using the local one (in the network of my OMV).


    I thought the DNS server of the interface the traffic is flowing through was used. Is that not the case for MS nslookup?


    ipconfig shows, that my local ethernet adapter has the local ISP DNS server IP set.
    the isatap tunnel adapter has my OMV-network DNS server set (which is the one i want to use). Could this be a route problem on my client?

  • But after rebooting OMV I had again three SNAT rules in iptables Is the rule added for every interface that exists on the system? Because I have exactely three interfaces (included the tun0 device from OpenVPN). It doesn't hurt to have them there, just would like to have confirmed this looks normal to you guys too.

    yes you're right it seems bug, iptables rules is applied multiple (number of interfaces) which should be applied once
    I will open issues for this isseus (and also suggest plugin developer to use masquerade instread of SNAT)



    What is weird now is that when connected over VPN all my browsers (Chrome, Edge, Firefox) are able to load all web resources (internet & local web pages). Also I can access my SMB share through windows explorer. I swear it wasn't working before I had added the MASQUERADE rule. I am puzzled why it does work now

    as I stated above,


    SNAT and masquerade are similar except that SNAT works with static IP, msquerade can works with dynamic ip


    But, for home users, most user uses dynamic IP, so omv-openvpn cannot route your internet packet whenever ip is changed

    My guess is that omv-openvpn plugin set 192.168.1.10 but your omv server ip was something other than 192.168.1.10 due to dhcp, so NAT didn't work that time (this is my guess I don't know why it was)
    so I recommend set your ip (192.168.1.10) static, but also beware of your router not to assign that static ip for other devices (ip collision)

    OMV3 on Proxmox
    Intel E3-1245 v5 | 32GB ECC RAM | 4x3TB RAID10 HDD
    omv-zfs | omv-nginx | omv-letsencrypt | omv-openvpn
    Click link for more details

  • I haven't figured out what caused the misbehaving. What came to my mind is that it could have been caused by DNS caching or similar.


    It works very stable right now. What I did:


    1) Added a static route on my router: 10.8.0.0/24 is on gateway 192.168.1.10 (my OMV/OpenVPN instance).
    2) Added push "route 192.168.1.0 255.255.255.0" in OpenVPN extra options. This rule is created on the client then with metric 35 and is therefore lower than my other existing/local rule of the local network.
    My clients routes when connected through VPN are then:


    Code
    Network Destination Netmask           Gateway    Interface      Metric
              0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.60     35
              0.0.0.0        128.0.0.0         10.8.0.5         10.8.0.6     35
             10.8.0.1  255.255.255.255         10.8.0.5         10.8.0.6     35
    ...
            128.0.0.0        128.0.0.0         10.8.0.5         10.8.0.6     35
          192.168.1.0    255.255.255.0         On-link      192.168.1.60    291
          192.168.1.0    255.255.255.0         10.8.0.5         10.8.0.6     35

    DNS resolution is instant and all network resources, be it on the local network or on the vpn network, are working just fine.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!