Create NAT on Tunnel?

[Mike S]

I have an Asus Router at my home and another one at my office. I am setting up an OpenVPN connection between my office and my home so that computers on either network can talk to each other.

What is the purpose of the Create NAT on Tunnel setting? Should I have this enabled or disabled?

 

[ColinTaylor]

For most normal use cases the NAT should left enabled.

The exception would be when;

You are creating a routed (TUN) LAN to LAN connection, and
Each LAN is using a different subnet, and
You need clients on the server LAN to be able to access devices on the client LAN using their real IP address.

If all of the above is true then NAT should be disabled and you need to create a static route on the server side for the client's LAN. You also need to allow inbound traffic using the "Inbound Firewall" OpenVPN client parameter.

 

[Mike S]

For most normal use cases the NAT should left enabled.

The exception would be when;

You are creating a routed (TUN) LAN to LAN connection, and
Each LAN is using a different subnet, and
You need clients on the server LAN to be able to access devices on the client LAN using their real IP address.

If all of the above is true then NAT should be disabled and you need to create a static route on the server side for the client's LAN. You also need to allow inbound traffic using the "Inbound Firewall" OpenVPN client parameter.

Exactly how to I configure the route on the server router? When I look at the route options, I don't see any way to setup the route to use the VPN tunnel.

 

[ColinTaylor]

Have look at this post (I haven't done this for a long time so I'm a bit hazy on the specifics ).

IIRC you need to add a "route 192.168.99.0 255.255.255.0" to the custom configuration options for the VPN server. And also add an "iroute 192.168.99.0 255.255.255.0" to the client router as described in the link. (Where 192.168.99.0 is the client's LAN)

EDIT: It looks like you can achieve the same routing through the VPN server GUI by enabling the "Manage Client-Specific Options" and adding the client's subnet there.

EDIT 2: Looks like @Martineau has confirmed that.

 

[Martineau]

Exactly how to I configure the route on the server router?

When I look at the route options, I don't see any way to setup the route to use the VPN tunnel.

You need to do this.....Asus Openvpn Site-to-Site config with Tun can't access client network computers

 

[Mike S]

You need to do this.....Asus Openvpn Site-to-Site config with Tun can't access client network computers

View attachment 22452

I'm totally perplexed. Here is my setup:

Office LAN: 192.168.135.0/24
Home LAN: 192.168.150.0/24

I setup the VPN Server at my office with client specific options as you showed (see attached screenshots). I then connected my home router's VPN client, but the VPN Status on the office router doesn't show the route to my home network.

What am I doing wrong?

 

[Mike S]

I'm totally perplexed. Here is my setup:

Office LAN: 192.168.135.0/24
Home LAN: 192.168.150.0/24

I setup the VPN Server at my office with client specific options as you showed (see attached screenshots). I then connected my home router's VPN client, but the VPN Status on the office router doesn't show the route to my home network.

What am I doing wrong?View attachment 22458 View attachment 22459 View attachment 22460 View attachment 22461

I think I figured this out.

When I entered an Allowed Client with username "client" on the Office VPN Server Client Specific Options section, the route appears in the office router's VPN status with the Common Name = "client", even though I used "test" as the username for the VPN Connection.

If I change the office VPN Server Username / Password Auth Only to YES, the VPN Status shows the proper route with "test" as the Common Name, and everything works correctly.

I'm not enough of an OpenVPN guru to understand why the system has this quirky behavior. Is this a BUG?

 

[Martineau]

I think I figured this out.

When I entered an Allowed Client with username "client" on the Office VPN Server Client Specific Options section, the route appears in the office router's VPN status with the Common Name = "client", even though I used "test" as the username for the VPN Connection.

If I change the office VPN Server Username / Password Auth Only to YES, the VPN Status shows the proper route with "test" as the Common Name, and everything works correctly.

I'm not enough of an OpenVPN guru to understand why the system has this quirky behavior.

Is this a BUG?

No.

OpenVPN is deemed secure because it uses (by default) PKI certificates, so if a client device doesn't have the correct OpenVPN Server 'Common Name' (CN) certificate/credentials then it cannot connect to the server.

If someone manages to illegally obtain/steal the CN certificate then it can be immediately revoked on the Server, and a new certificate generated and distributed (by secure means) to the appropriate client devices.

Ideally you would generate a unique CN certificate by name (e.g. 'iPhoneFred' or 'MySG20' etc.) for each device that is allowed to connect.

However, the OpenVPN Server on the router (by default) only generates a single CN certificate for device name 'client'

The problem is most would like the GUI to show by name the individual devices, so you should also create UserIDs/password combos but they ALL use the same shared CN 'client' certificate and securely enforce 'Username/Password Authentication=YES' in the GUI

i.e. the client device must authenticate using both the certificate AND a (preferably) unique UserID/password.

Using ONLY a UserID/Password is very insecure, and the practice should be discouraged.

So, if you hover over the 'Common Name (CN)' field in the GUI, a pop-up will display why this is not a bug

 

[Mike S]

No.

OpenVPN is deemed secure because it uses (by default) PKI certificates, so if a client device doesn't have the correct OpenVPN Server 'Common Name' (CN) certificate/credentials then it cannot connect to the server.

If someone manages to illegally obtain/steal the CN certificate then it can be immediately revoked on the Server, and a new certificate generated and distributed (by secure means) to the appropriate client devices.

Ideally you would generate a unique CN certificate by name (e.g. 'iPhoneFred' or 'MySG20' etc.) for each device that is allowed to connect.

However, the OpenVPN Server on the router (by default) only generates a single CN certificate for device name 'client'

The problem is most would like the GUI to show by name the individual devices, so you should also create UserIDs/password combos but they ALL use the same shared CN 'client' certificate and securely enforce 'Username/Password Authentication=YES' in the GUI

i.e. the client device must authenticate using both the certificate AND a (preferably) unique UserID/password.

Using ONLY a UserID/Password is very insecure, and the practice should be discouraged.

So, if you hover over the 'Common Name (CN)' field in the GUI, a pop-up will display why this is not a bug

View attachment 22462

Thanks for the explanation. One question: When I use the default server setting for not forcing using only the username/password for authentication, the server’s VPN status shows the username as the client. Wouldn’t it make more sense for the common name to also use the username rather than the certificate name in this situation? That way you would have the security of using the certificate, but have a simple way to configure the routing subnets for multiple inbound VPN tunnels.

Thanks for the help.

 

[Martineau]

Thanks for the explanation. One question: When I use the default server setting for not forcing using only the username/password for authentication, the server’s VPN status shows the username as the client. Wouldn’t it make more sense for the common name to also use the username rather than the certificate name in this situation? That way you would have the security of using the certificate, but have a simple way to configure the routing subnets for multiple inbound VPN tunnels.

Thanks for the help.

As stated previously, you should ideally create individual Common-name certificates for each device that is allowed to connect.

i.e.

OfficeLAN
MyPhone​

If you can't create individual Common-names then to enable differentiating between the two visually in the status GUI or you may wish to assign static IPs to them, then

1. Create two accounts

OfficeLAN
MyPhone
​

2. Enforce 'Username/Password Authentication=YES' in the GUI

3. Add OpenVPN directive '--username-as-common-name' to the OpenVPN Server Custom Configuration GUI (see OpenVPN Reference Manual)

 

[Mike S]

As stated previously, you should ideally create individual Common-name certificates for each device that is allowed to connect.

i.e.

OfficeLAN
MyPhone​

If you can't create individual Common-names then to enable differentiating between the two visually in the status GUI or you may wish to assign static IPs to them, then

1. Create two accounts

OfficeLAN
MyPhone
​

2. Enforce 'Username/Password Authentication=YES' in the GUI

3. Add OpenVPN directive '--username-as-common-name' to the OpenVPN Server Custom Configuration GUI (see OpenVPN Reference Manual)

I setup the VPN Server using steps 1-3 above, including adding '--username-as-common-name' to the Custom Configuration as per your suggestion and this is now working perfectly. A very simple solution to adding VPN tunnels connecting LANs at remote offices.

Thanks again for your help.