28 replies to this topic

[Erik Slagter]

Exactly, if you do not exactly what you're doing, don't use the TAP device (L2), use the TUN device (L3). The TUN device can be setup in two modes:

- normal mode, where each client gets it's own subnet, a bit wastful but very transparent to understand

- the multiple mode, where each client gets an address in the common ip range, but the traffic is still routed and not bridged. This is quicker to setup for multiple clients, but a bit less transparent.

 

Do NOT use NAT when not strictly required (i.e. only use it toward your ISP). It will give all sorts of surprises (like the above).

[WanWizard]

The big question remains what in that setup does the NAT, as it is clear from the logs that the client gets IP address 10.0.8.2, while the endpoint sees connections coming from 192.168.2.254 (the IP of the OpenVPN server).

[jpuigs]

Exactly, if you do not exactly what you're doing, don't use the TAP device (L2), use the TUN device (L3). The TUN device can be setup in two modes:

 

... and how do I change this ? OpenvpnGUI client doesn't have any option to choose LAN2 TAP device or LAN3  TUN device.

 

If server and client configs are both "dev tun", as you can see in previous posts, it's not my "decission" that Win10 Client use TAP device.....

 

 

 

Do NOT use NAT when not strictly required (i.e. only use it toward your ISP). It will give all sorts of surprises (like the above).

 

The big question remains what in that setup does the NAT, 

 

I haven't chosen to use or not NAT. It's default behaviour.

But it's something related to RasPi, because If I connect with an enigma box instead of win10 laptop, box sees all devices too, like the win10 laptop.

 

I know Wanwizard would like to know what does NAT, me too !!!!!!!

[Erik Slagter]

The NAT setting is probably not in OpenVPN. I don't know an OpenVPN option to do NAT. Please check your iptables (iptables -t nat -n -v -L).

Edited by Erik Slagter, 13 December 2020 - 10:56.

[jpuigs]

pi@raspberrypi:~ $ sudo iptables -t nat -n -v -L
Chain PREROUTING (policy ACCEPT 9103 packets, 1423K bytes)
pkts bytes target     prot opt in     out     source               destination
Chain INPUT (policy ACCEPT 8930 packets, 1413K bytes)
pkts bytes target     prot opt in     out     source               destination
Chain POSTROUTING (policy ACCEPT 268 packets, 18577 bytes)
pkts bytes target     prot opt in     out     source               destination
  165  8770 MASQUERADE  all  --  *      eth0    10.8.0.0/24          0.0.0.0/0            /* openvpn-nat-rule */
Chain OUTPUT (policy ACCEPT 268 packets, 18577 bytes)
pkts bytes target     prot opt in     out     source               destination
pi@raspberrypi:~ $

[Erik Slagter]

So there we have our smoking gun, I guess!

[WanWizard]

Something in the raspian package that creates that "openvpn-nat-rule" I presume, as that isn't standard...

[jpuigs]

I think I've found it.

 

I installed openvpn using the PiVPN , https://www.pivpn.io/ (VPN for dummies  )

when you do: curl -L https://install.pivpn.io | bash    it executes the installation script: https://raw.githubus...tall/install.sh

 

...and looking at this script.... in confNetwork()

$SUDO sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf

if ! $SUDO iptables -t nat -S | grep -q "${VPN}-nat-rule"; then
   $SUDO iptables -t nat -I POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE -m comment --comment "${VPN}-nat-rule"
  fi

   

[WanWizard]

Mystery solved!