Networking – disable NAT in openvpn


I'm having a similar problem to this:
OpenVPN without NAT

Seems it wasn't answered yet.

Description of my situation:
I have an openvpn server on network A which another admin installed before he left the company, now several users and servers connect to that openvpn server to access network A and get NATed so all requests from vpn users/servers have the source address from the openvpn server.

Now I need a server on network A to access one of the openvpn clients/servers and want to disable NAT in openvpn to expose the "vpn internal" IP addresses of these clients and servers.

I know that I need to add a route on Network A to access the vpn network, that's clear to me but I cannot see how to disable NAT in openvpn, also there are no IPtables rules present so some openvpn internal NAT mechanism seems to be in use.

Which options I need to check to disable NAT?

Best Answer

  • On the OpenVPN server there must be a rule like

            iptables -t nat -A POSTROUTING -i tun0 -j MASQUERADE

    You can find it with

          iptables-t nat -L -n -v

    You must suppress this rule.

    If, as you claim (but did you run

          iptables -t nat -L -n -v

    to double-check there are no iptables rules at at play?), the only other possibility is that natting is done through the iproute2 suite. Do

        cat /etc/iproute2/rt_tables

    jot down the names of the table you have, then issue

         ip route table TABLE_NAME | grep ^nat

    and see whether you can find some output. If you do, it means that the packet headers are rewritten by the iproute2 command ip route add nat ... All you need to do is to delete the routing table in question.

    These are the two possibilities, tertium non datur.

    Now you need to add a rule to the router to route packets for the OpenVPN subnet via the OpenVPNserver (let's assume it has IP address192.168.0.127). If the router were a Linux machine the following command would do:

           ip route add via

    Most routers, like Cisco's , have an Advanced routing capability, to be found in theri GUI. You should use that to specify the route above.

  • Related Question