Not sure how well I can describe my issue, so sorry if something doesn't come across as correct I have a OpenVPN server hosted at home, I have it setup and connecting fine from my phone where it gets a static IP
I want to setup IP controls on my network (so I can see the source of where traffic is coming from, eg phone vs laptop)
By default OpenVPN routes traffic though itself, so once traffic goes into the network it shows as the OpenVPN Servers IP
Research shows that you need to set as a TAP not TUN, but Android by default doesn't support that. So I looked at doing a 1:1 nat to give my external devices a "Internal" ip on my network
EG my phone, VPN 10.10.101.101, LAN 10.10.100.101
I have a VLAN Setup with the IP ranges set, and have set the 100.101 IP on my VPN servers interface.
I found a 1:1 nat rule and set that on my VPN server hoping it would take traffic from my phone over the VPN (10.10.101.101) and nat it to the LAN IP 10.10.100.101 However that doesn't seem to have worked.
Im getting the following error on my main router / firewall IPv4: martian source 157.240.8.13 from 10.10.101.101, on dev eth0 Which makes me think its not doing a NAT but passing though its source IP as the VPN IP
So now im at a bit of a loss
Is it even possible to do what I want using OpenVPN? Iv tried googling, but I can't seem to find exactly what im looking for
Thanks Thomas
Configs:
server.conf
port 443
proto udp
dev tun
ca ca.crt
cert crt.crt
key key.key
tls-auth ta.key 0
key-direction 0
dh dh2048.pem
cipher AES-256-CBC
server 10.10.101.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.99.40"
keepalive 10 120
user nobody
group nogroup
persist-key
persist-tun
client-config-dir ccd
log openvpn.log
log-append openvpn.log
verb 3
Client.conf
client
dev tun
proto udp
remote VPN.Domain.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
cipher AES-256-CBC
redirect-gateway def1
remote-cert-tls server
IP Tables
iptables -vL -t filter
Chain INPUT (policy ACCEPT 4555 packets, 1080K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tun+ any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
197 12387 ACCEPT all -- tun+ any anywhere anywhere
0 0 ACCEPT all -- tun+ eth1 anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth1 tun+ anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 819 packets, 124K bytes)
pkts bytes target prot opt in out source destination
iptables -vL -t nat
Chain PREROUTING (policy ACCEPT 4547 packets, 602K bytes)
pkts bytes target prot opt in out source destination
0 0 NETMAP all -- any any anywhere 10.10.100.0/24 10.10.101.0/24
Chain INPUT (policy ACCEPT 66 packets, 11890 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5 packets, 334 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 83 packets, 5320 bytes)
pkts bytes target prot opt in out source destination
0 0 NETMAP all -- any any anywhere 10.10.101.0/24 10.10.100.0/24
iptables -vL -t mangle
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
iptables -vL -t raw
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
iptables -vL -t security
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
By default OpenVPN routes traffic though itself, so once traffic goes into the network it shows as the OpenVPN Servers IP
That is not true. The VPN subnet is only "hidden" if you doSNAT
/MASQUERADE
for it. By default (and more like Linux's default) the traffics would merely be forwarded, and you need return route on the default gateway (or each of the hosts) of your LAN for things to work (that is, they need to use the server as gateway for10.10.101.0/24
).