Reply
Member
Posts: 225
Registered: ‎12-02-2010
Kudos: 55
Solutions: 4
Accepted Solution

OpenVPN Client with NAT

After some troubleshooting I finally managed to get NAT to work on a EdgeMax router (v1.4) on a OpenVPN (client) interface. To my surprise I had to manually define a tun* interface.

My question is really, why have the vtun* intefaces listed in the Source "NAT Rule Configuration" window as an "Outbound inteface" if they don't work? I think the UBNT team might need to change this...

Screen Shot 2014-07-23 at 5.23.08 PM.png

Michel Greijmans
sincere:ict solutions - IT Support & Consultancy.
sincere:connect - The most experienced Wireless solutions provider in the Dutch Caribbean.

Accepted Solutions
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5465
Solutions: 1656
Contributions: 2

Re: OpenVPN Client with NAT

Are you using a ".ovpn" config file directly for the OpenVPN interface? If so, check if there is a line "dev tun" in the file. If there is, change that line to "dev-type tun". As discussed before using .ovpn config file will override the system settings so that is needed to prevent the device name from getting replaced.

View solution in original post


All Replies
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5465
Solutions: 1656
Contributions: 2

Re: OpenVPN Client with NAT

Are you using a ".ovpn" config file directly for the OpenVPN interface? If so, check if there is a line "dev tun" in the file. If there is, change that line to "dev-type tun". As discussed before using .ovpn config file will override the system settings so that is needed to prevent the device name from getting replaced.

New Member
Posts: 20
Registered: ‎08-27-2014
Kudos: 1

Re: OpenVPN Client with NAT

I made an account here just to write this post.

 

Michel, thank you _SO MUCH_ for figuring this out and posting about it. I have been scratching my head on this one for months. I eventually gave up and thought I'd try googling again, to see if anyone came up with a solution, and was very happy to see your post. My openvpn NAT works perfectly now.

 

To the UBNT team, PLEASE, for the love of god, fix this, or make it at least obvious that you need to type 'tun0' in, instead of selecting 'vtun0' from the dropdown list. Also, for whatever reason, in the Firewall section, you really DO have to specify 'vtun0' and NOT 'tun0', or the rules won't take effect. Why is it tun0 in some places and vtun0 in other places?

 

Please clear up this confusion. And, again, Michel, thank you so much.

Highlighted
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5465
Solutions: 1656
Contributions: 2

Re: OpenVPN Client with NAT

As discussed above, the "tunX" interface is created if the .ovpn file has a "dev tun" line, which overrides the interface name fomr the system configuration. So instead of using "tunX", the better approach is to change the .ovpn file to say "dev-type tun" so that it won't override the interface name.

Note that when using a .ovpn file, whether the setup works or not will depend on the content of the .ovpn file, which is "outside" the system configuration. So care should be taken to ensure that the options in the .ovpn files are compatible with the system configuration. If not using a .ovpn file, the system configuration will create "vtunX" interface in all cases. Of course, since "dev tun" seems to be a common case in many online OpenVPN examples, we might look into always forcing "dev-type", for example, to make this particular case simpler.

New Member
Posts: 20
Registered: ‎08-27-2014
Kudos: 1

Re: OpenVPN Client with NAT

My configuration does indeed have 'dev tun', and this is the config pushed out to the ~1000 employees at my company. I've never seen 'dev-type tun' at prior employers, either. So, one way or another, I agree that you should find some way to simplify this.

 

Also, regardomg terminology, not everyone uses a .ovpn file... I've got my .conf file and certs living in one directory in /config.

 

In any case, why can't the dropdown menu simply show the name of the actual device, and not assume it's called vtun0?

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5465
Solutions: 1656
Contributions: 2

Re: OpenVPN Client with NAT

There are likely other places in the system where it depends on the configured interface name since, for example, when configuring a "tunnel interface" (e.g., GRE), it also creates "tunX" interfaces, so there can be conflicts. In any case, as mentioned we can look into forcing the interface name if that doesn't have negative impact. Thanks for the feedback.

Reply