Community Help.

[DominikHoffmann]

My router, a pfSense system, runs a tap OpenVPN server. The OpenVPN server is at 192.168.1.1. Once I am connected to it via Viscosity, I can contact the pfSense system at 192.168.1.1.

I am currently connected to a different Wi-Fi system, which itself has is a 192.168.1.0/24 network. I cannot connect to any of the hosts on my pfSense’s 192.168.1.0/24.

Is there a way to configure the connection in Viscosity, so that the remote network is made available to the system running Viscosity as, let’s say 192.168.2.0/24?

[James]

Hi DominikHoffmann,

OpenVPN supports "client side NAT" remapping, however this is only for TUN/routed networks, it won't work for TAP/bridged:
https://www.sparklabs.com/support/kb/ar ... client-nat

Your best bet is to use more explicit routes so that they override the local range. If you just need to access a handful of IP addresses then I recommend adding each IP address as a route to the VPN connection (make sure the mask is 32 or 255.255.255.255):
https://www.sparklabs.com/support/kb/ar ... connection

If you need to access a much larger part of the subnet, you could set the routes 192.168.1.0/25 and 192.168.1.128/25 instead (which will cover the full 192.168.1.0/24 range), however you may also need to add an exception for your local router/gateway to avoid breaking the VPN connection:
https://www.sparklabs.com/support/kb/ar ... al-network

Cheers,
James

[DominikHoffmann]

OpenVPN supports "client side NAT" remapping, however this is only for TUN/routed networks, it won't work for TAP/bridged:
https://www.sparklabs.com/support/kb/ar ... client-nat

Thanks very much, James!

I tried

Code: Select all

client-nat snat 192.168.101.0/255.255.255.0

and got this in my Viscosity log file:

Code: Select all

2024-06-26 11:53:33: Viscosity Mac 1.11.2 (1691)
2024-06-26 11:53:33: Viscosity OpenVPN Engine Started
2024-06-26 11:53:33: Running on macOS 14.5
2024-06-26 11:53:33: ---------
2024-06-26 11:53:33: State changed to Connecting
2024-06-26 11:53:33: Checking reachability status of connection...
2024-06-26 11:53:33: Connection is reachable. Starting connection attempt.
2024-06-26 11:53:33: Options error: The command "client-nat" or one of its parameters is invalid for this version of OpenVPN (2.6.10). Please edit the connection, make sure the command is valid, and try again.
2024-06-26 11:53:33: Full command: client-nat snat 192.168.101.0/255.255.255.0
2024-06-26 11:53:34: The OpenVPN subsystem could not be started.
2024-06-26 11:53:34: State changed to Disconnected (OpenVPN System Failure)

I was hoping that that command would remap the entire remote 192.168.1.0/24 network to a 192.168.101.0/24 network accessible through my tun connection. Does my server not support that command?

[James]

Interesting, it appears OpenVPN's documentation for "client-nat" is wrong. It looks like the format was changed at one point, and the documentation was never updated. Looking at the source code instead, the correct format for the "client-nat" command is:

Code: Select all

client-nat type network netmask foreign_network

So using the same IP ranges listed in the documentation example, you'd instead need something like the following (adjust to use the appropriate type and IP ranges for your setup):

Code: Select all

client-nat snat 192.168.0.0 255.255.0.0 10.64.0.0

Cheers,
James