Join Log in
Score:0
inivanoff1 avatar Server

SNAT does not work to keep real client IP, MASQUERADE works

jm flag
inivanoff1

I have 3 hosts: AAA, BBB, CCC.

  1. Host AAA is an OpenVPN server with IP 172.17.10.1 and mask 255.255.255.0.
  2. Host BBB has 2 tun interfaces: • an OpenVPN server with IP 172.16.10.1 and mask 255.255.255.0 • an OpenVPN client with IP 172.17.10.50 (connected to OpenVPN server AAA)
  3. Host CCC is an OpenVPN client with IP 172.16.10.50 (connected to OpenVPN server BBB). It has routing to 172.17.10.0/24 via 172.16.10.1.

enter image description here

My goal is host CCC to successfully ping host AAA and host AAA to see the traffic from the original IP of host CCC (172.16.10.50).

I have set up iptables -A FORWARD... -J ACCEPT on host BBB.

On host BBB I have set up POSTROUTING rule. For example, with MASQUERADE the ping is successful, but the problem is that this way host AAA sees src IP 172.17.10.50 (the ip from host BBB): iptables -t nat -D POSTROUTING -s 172.16.10.50 -d 172.17.10.1 -o tun17 -j MASQUERADE

I change MASQUERADE to SNAT, but the ping fails: iptables -t nat -A POSTROUTING -s 172.16.10.50 -d 172.17.10.1 -o tun17 -j SNAT --to-source 172.16.10.50

The problem is that with tcpdump I see that the traffic does not exit host BBB and there is no traffic to host AAA:

root@BBB:# tcpdump -ni tun17
listening on tun17, link-type RAW (Raw IP), capture size 262144 bytes
12:16:45.777464 IP 172.16.10.50 > 172.17.10.1: ICMP echo request, id 30730, seq 1149, length 64
12:16:46.801548 IP 172.16.10.50 > 172.17.10.1: ICMP echo request, id 30730, seq 1150, length 64

I tried to change SNAT to source IP 172.17.10.55 (an IP address from the 172.17.10.0/24 network), but again the ping fails and again the traffic does not exit host BBB:

iptables -t nat -A POSTROUTING -s 172.16.10.50 -d 172.17.10.1 -o tun17 -j SNAT --to-source 172.17.10.55

12:16:47.825419 IP 172.17.10.55 > 172.17.10.1: ICMP echo request, id 30730, seq 1151, length 64
12:16:48.849460 IP 172.17.10.55 > 172.17.10.1: ICMP echo request, id 30730, seq 1152, length 64

Why does I can not use SNAT with --to-source 172.16.10.50 or even with --to-source 172.17.10.55 (which ip address is from the same 172.17.10.0/24 network) to ping 172.17.10.1 from host CCC?

The traffic seems to sit on host BBB and does not exit from its tun17. I see that the traffic goes from HOST CCC to HOST BBB, the traffic is forwarded from tun16 to tun17, but then it can not be send to host AAA with SNAT.

The ping only works if the source IP address of the packet is 172.17.10.50. If I change the source IP to 172.17.10.55 for example, the ping fails.

I think the problem is not firewall, nor routing, I suspect some OpenVPN restriction, but I am not sure. The two OpenVPN servers are in --topology subnet mode with /24 network masks.

142
1 + 0
nat
Score:1
emiliv1 avatar Server
zm flag
emiliv1

You have to add iroute in ccd to manipulate internal openvpn routing table.

Otherwise openvpn doesn't know where to route back the packets. In openvpn log you must have a line like "MULTI: bad source address from client [IP ADDRESS], packet dropped"

Read more here:

https://community.openvpn.net/openvpn/wiki/RoutedLans

+ 1
inivanoff1 avatar
jm flag
inivanoff1
Thank you, adding iroute works! I even do not need masquerading anymore. I have been searching for solution in the linux kernel tcp stack and I did not know about the iroute internal openvpn routing table. Thanks, case closed.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.