Thomas S's picture

The Turnkey OpenVPN appliance, when either "gateway" or "server" is chosen, automatically sets up NAT/masquerading. This means VPN clients are not visible to the company network. How do I disable this so that traffic from the company network can be routed via the OpenVPN server to the VPN clients? I'm not familiar with working with iptables directly.

Forum: 
Jeremy Davis's picture

TBH I'm not 100% sure. Whilst I have been somewhat involved in maintaining our TurnKey OpenVPN appliance over the years, I'm certainly not expert on it's operation; or networking in general TBH. I have tested that it works as intended for each release, but have not tried any custom config.

Following your question, I've done a bit of reading (googled "disable NAT masquerading openvpn") and I don't have any specifics for you, but have a general idea of what might be involved, plus more understanding on why we provide the default config that we do.

So essentially it seems that what you want should be possible. However it seems that the default NAT/masquerading config should "just work" without any broader network config (hence why that's what we provide by default).

I'm not 100% sure, but it seems that if NAT/MASQUERADE is disabled, then routes to the OpenVPN subnet need to be manually configured on your network. Otherwise devices outside the OpenVPN subnet will not be able to route to ones within it.

Sorry, it's not a clear answer to your question, bit it's the best I can manage. Plus there is a chance that I've completely misunderstood what I just read - so hopefully I'm not leading you astray.

To get further info, it's probably worth being aware that the current v15.x TurnKey appliance is based on Debian 9/Stretch (aka oldstable). We install OpenVPN the Debian repositories (OpenVPN v2.4.0 in our v15.x app) and beyond our "helper scripts", the "q code" hosting (to make mobile device connection super easy) and our default config, there isn't particularly special about OpenVPN in our appliance. So probably the best place to get a better understanding of OpenVPN is to read up on their docs. There are a few somewhat relevant questions on their forums too, although unfortunately don't appear to have any answers. There also seem to be quite a few relevant questions on SuperUser (i.e. the StackExchange site) but none that jump out as explicitly answering your question (although perhaps I'm missing something). Anyway, here are a few links that look like they may have value:

OpenVPN reference/docs:

OpenVPN forums: SuperUser (StackExchange) Q&A:

Now just re-reading your question, it's seems to me that I've actually tried to answer a slightly broader meta-question, rather than explictly answering your question. Regarding configuring iptables, you can either configure that via Webmin, or via the commandline. Webmin config should be fairly straight forward and commandline config is probably more complex than I can explain here in a few words, but you'll find plenty of info via an internet search (something like "iptables tutorial" should get you up to speed pretty quick).

Anyway, whilst it's not a simple answer to yoru question, I hope my post is of some value. If you get it working to your requirements, it'd be super awesome if you could post back - I'm sure others would appreciate it! :)

Thomas S's picture

Thanks for the help. Following on from the superuser post you linked, I found the iptables rules are set up in /etc/iptables.up.rules . I simply commented out the whole NAT section like so. Then rebooted the vpn server, added a static route on our office router pointing the vpn client subnet to the vpn server, and as far as I can tell everything is working.

 

#*nat
#:PREROUTING ACCEPT [0:0]
#:POSTROUTING ACCEPT [0:0]
#:OUTPUT ACCEPT [0:0]
#-A POSTROUTING -o eth0 -j MASQUERADE
#COMMIT

Jeremy Davis's picture

Awesome! :) I'm glad to hear it was that easy and that my post was useful. Thanks for posting back to share that you got it working (and how).

Add new comment