Port forwarding through an OpenVPN tunnel

Neooostef · October 25, 2023, 6:30am

Hello there

I am trying to carry out Port Forwarding through an OpenVPN tunnel in Split tunnel mode, but when I try to reach my equipment on port 8080 on the IP A.A.A.A no response from it. When I do a TCPDUMP it receives the connection request but it returns with the ip address X.X.X.X

When I do the same in Full Tunnel it works, and when I replace the RUT241 with a PfSense in Split Tunnel it works too.

I think there is a configuration to be made at the RUT241 level but I can’t find what.

I cannot configure the RUT241 in Full Tunnel because the server must have direct access to the Internet via the IP address X.X.X.X

Thank you for your answers

AndzejJ · October 25, 2023, 7:22am

Hello,

Does PfSense rewrite the source from A.A.A.A to 10.2.2.1 when forwarding to 192.168.2.50?

The masquerading (NAT) on OpenVPN zone can be disabled if the PfSense expects a packet with a LAN IP address instead of the tunnel IP. For this, navigate to Network → Firewall and edit OpenVPN => LAN zone. Make sure that LAN is included in ‘Allow forward to destination zones’ and try disabling masquerading.

Kind Regards,

Neooostef · October 25, 2023, 6:14pm

Hello

I try it tommorow.

Thanks

Neooostef · October 26, 2023, 10:01am

Hello,

I have just tested and it is still the same, the request arrives on 192.168.2.50 with the Client IP address, 2.50 responds well to the Client IP address but the return is not made in the tunnel.

Thanks

AndzejJ · October 26, 2023, 11:07am

Hello,

If it arrives to 192.168.2.50 with source IP of the client (public IP), then it is likely that the 192.168.2.50 sends it via its default gateway, and thus, RUT241 routes it via its WAN interface. Could your try one of the following:

Masquerade (NAT) packets on PfSense that are coming from the Internet client with the IP address of the tunnel interface (10.2.2.1).
Try enabling masquerading on RUT241 for LAN => OpenVPN zone, so that traffic that comes from OpenVPN and goes into LAN is masqueraded with LAN IP of RUT241.

Let me know how it goes.

Kind Regards,

Neooostef · October 26, 2023, 6:03pm

Good morning

Thank you, so I carried out the 2 tests and here is the result.

Test 1 : Masquerade (NAT) packets on PfSense that are coming from the Internet client with the IP address of the tunnel interface (10.2.2.1).

Work fine with add in Firewall / Nat / Outbound on Pfsense, need to create a physical interface for OpenVPN

Test 2 : * Try enabling masquerading on RUT241 for LAN => OpenVPN zone, so that traffic that comes from OpenVPN and goes into LAN is masqueraded with LAN IP of RUT241.

Does not work, the masquerade changes the IP to that of the RUT but the return is always on the qmimux0 interface.

Thank you for all. You are really on top.

AndzejJ · October 27, 2023, 6:04am

Hello,

Yes, you are correct. Simple masquerading on LAN will not work in this case and the packets would still be routed over WAN instead of the OpenVPN tunnel. The source NAT on PfSense should work fine though.

Let me know if there are any other issues with this setup.

Kind Regards,

system · November 9, 2023, 6:31am

This topic was automatically closed after 15 days. New replies are no longer allowed.