Address translation possible?

DominikHoffmann · 25 June 2024 02:08

My router, a pfSense system, runs a tap OpenVPN server. The OpenVPN server is at 192.168.1.1. Once I am connected to it via Viscosity, I can contact the pfSense system at 192.168.1.1.

I am currently connected to a different Wi-Fi system, which itself has is a 192.168.1.0/24 network. I cannot connect to any of the hosts on my pfSense’s 192.168.1.0/24.

Is there a way to configure the connection in Viscosity, so that the remote network is made available to the system running Viscosity as, let’s say 192.168.2.0/24?

James · 25 June 2024 12:40

Hi DominikHoffmann,

OpenVPN supports “client side NAT” remapping, however this is only for TUN/routed networks, it won’t work for TAP/bridged:
https://www.sparklabs.com/support/kb/article/advanced-configuration-commands/#client-nat

Your best bet is to use more explicit routes so that they override the local range. If you just need to access a handful of IP addresses then I recommend adding each IP address as a route to the VPN connection (make sure the mask is 32 or 255.255.255.255):
https://www.sparklabs.com/support/kb/article/routing-traffic-for-websites-applications/#specifying-traffic-to-go-through-the-vpn-connection

If you need to access a much larger part of the subnet, you could set the routes 192.168.1.0/25 and 192.168.1.128/25 instead (which will cover the full 192.168.1.0/24 range), however you may also need to add an exception for your local router/gateway to avoid breaking the VPN connection:
https://www.sparklabs.com/support/kb/article/routing-traffic-for-websites-applications/#specifying-traffic-to-go-through-the-normal-network

Cheers,
James

DominikHoffmann · 26 June 2024 15:58

Thanks very much, James!

I tried

client-nat snat 192.168.101.0/255.255.255.0

and got this in my Viscosity log file:

2024-06-26 11:53:33: Viscosity Mac 1.11.2 (1691)
2024-06-26 11:53:33: Viscosity OpenVPN Engine Started
2024-06-26 11:53:33: Running on macOS 14.5
2024-06-26 11:53:33: ---------
2024-06-26 11:53:33: State changed to Connecting
2024-06-26 11:53:33: Checking reachability status of connection...
2024-06-26 11:53:33: Connection is reachable. Starting connection attempt.
2024-06-26 11:53:33: Options error: The command "client-nat" or one of its parameters is invalid for this version of OpenVPN (2.6.10). Please edit the connection, make sure the command is valid, and try again.
2024-06-26 11:53:33: Full command: client-nat snat 192.168.101.0/255.255.255.0
2024-06-26 11:53:34: The OpenVPN subsystem could not be started.
2024-06-26 11:53:34: State changed to Disconnected (OpenVPN System Failure)

I was hoping that that command would remap the entire remote 192.168.1.0/24 network to a 192.168.101.0/24 network accessible through my tun connection. Does my server not support that command?

James · 10 July 2024 03:12

Interesting, it appears OpenVPN’s documentation for “client-nat” is wrong. It looks like the format was changed at one point, and the documentation was never updated. Looking at the source code instead, the correct format for the “client-nat” command is:

client-nat type network netmask foreign_network

So using the same IP ranges listed in the documentation example, you’d instead need something like the following (adjust to use the appropriate type and IP ranges for your setup):

client-nat snat 192.168.0.0 255.255.0.0 10.64.0.0

Cheers,
James