VPN without NAT to present with real IP on local network

Technical Support for Routers VPN, DNS, Leaks
1

Hi, I'm new to gl.inet and OpenWRT.
I just bought a BerylAX to use on my travels, but I replaced my old pfSense firewall at home with a Fortigate, and now I can't set up VPNSSL with FortiClient. I'm considering buying a second gl.inet router to use as a wireguard/openvpn server, and in the meantime I've been testing and I haven't been able to remove the NAT it does with the router's lan interface.

The architecture is a fortigate firewall that forwards the ports of the OpenVPN server (for example). The dedicated address for the gl-inet router is 192.168.200.0/27, and the router has the ip 192.168.200.1. The network for the vpn is 192.168.200.32/27.

The problem is that I can't get the real IPs of the devices when they connect via OpenVPN. I would like them to be presented with the real IPs of the assigned network 192.168.200.32/27. Not all with the same IP of the router 192.168.200.1.

In the server options I have disabled the IP Masquerading check, but I still see the router's IP.

I have been checking LuCi, but I am not familiar with it either and I have not been able to configure it correctly. I think that from this access it could be defined not to mask that traffic? I have configured my source network, with a destination network, which does not apply masquerade, in Firewall - NAT Rules, but either I have not done it correctly, or I do not know how to apply it correctly.

Could you help me? Could you help me? Or could you tell me if it's possible?

Regards,

2

Hello,

Here is a guide for reference:

  1. The server and client connection of OVPN or WG does not need to disable NAT.
  2. VPN Tunnel IP cannot be the same as router LAN or WAN IP. If you want to access the local sources when they establish a VPN Tunnel connection, you can enable allow LAN access on the server, like
    image
    image597×353 10.6 KB
4

Hello,

I've drawn a diagram to explain this better.

When I'm connected via OpenVPN with gl.inet, the device has an IP range of 192.168.201.0/24. When this device connects to devices on the Site-A network, it presents itself with the router's IP address of 192.168.200.2. I'd like the IP address to be the real IP address of the device (OpenVPN IP) that connected via OpenVPN with 192.168.201.x/24.

I had no problems when using OpenVPN on a pfSense router. And I don't see how I can disable this masquerading on the gl.inet router.

vso
vso1296×747 64.3 KB

5

Hello again :slight_smile:

I've found the solution and it's working.

Using LuCi, in the Firewall menu, on the NAT Rules tab, I configured a new NAT indicating my source network for the OpenVPN/Wireguard service, targeting the WAN interface and private addresses of my Site-A, setting the Action as "ACCEPT - Disable address rewriting."

Now the real IP addresses are displayed in the Site-A firewall, allowing me to set correct, traceable rules.

I'll finish testing to see how Gl.inet works :wink: and when I get the second device, we'll repeat the process.

Best regards!

1 Like