1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

OpenVPN with NAT/PAT

Discussion in 'VPN' started by miazza, Jun 25, 2019.

  1. miazza

    miazza Occasional Visitor

    Joined:
    May 23, 2019
    Messages:
    20
    Hello guys, I have configured a OpenVPN on my Asus 86U and I’m quite happy with it.

    Anyhow I think I need some explanation (I’m a noob) about how this VPN works in an environment where my IP is NAT/PAT by the ISP.

    I try to better explain what I cannot understand:

    · My 86U manage a VPN with a specific UDP port on a private IP that is assigned by the ISP to my router. This private IP is later on NAT/PAT by the ISP to a public IP (that, as far as I have understood, it is unknown at the router)

    · Only the private IP is associated with DDNS service

    · My mobile (the host where I need to connect at the VPN), with OpenVPN app installed, connects to the VPN using the DDNS private IP information and the UDP port assigned to the VPN by the 86U (according to client.ovpn file created by the router)

    The question is: who is telling the route from the public IP of my mobile to the public IP associated to the 86U private IP ? And viceversa ?

    Surely I’ve not understood this NAT/PAT process and I'm aking a wrong question but , hopefully, someone of you can explain me how the process works ... because the process works very well :)
     
  2. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    8,847
    Location:
    UK
    I don't think this can be the case. Private IP addresses are not routable across the internet. Therefore your VPN server must have a public IP address.

    What is the first octet of your WAN IP address as shown on the router's Network Map page? e.g. 82.x.y.z.
     
    L&LD likes this.
  3. miazza

    miazza Occasional Visitor

    Joined:
    May 23, 2019
    Messages:
    20
    Right now I have 37.182.x.y
     
  4. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,590
    Yes, that is a public IP. :)
     
    miazza likes this.
  5. miazza

    miazza Occasional Visitor

    Joined:
    May 23, 2019
    Messages:
    20
    OK, this explains almost all of my question :).
    But in this case who tells to the public IP the private IP of the router ?
    Going out it is clear , the 86U trace the routing through the UDP port but, coming back from mobile who is providing the NAT/PAT information from public to private IP ?
    Is this information embedded in the DDNS ?
     
  6. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,590
    The OpenVPN configuration file does. The router has two IP's, one outward facing (the same public IP) and the internal LAN IP you have configured. ;)
     
  7. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    8,847
    Location:
    UK
    What? :confused:
     
    L&LD likes this.
  8. eibgrad

    eibgrad Senior Member

    Joined:
    Feb 20, 2017
    Messages:
    220
    I have configured a OpenVPN on my Asus 86U and I’m quite happy with it.

    Would help if the OP was more specific, OpenVPN *client* or *server*? Because when I reread the OP's post, sometimes it sounds like the former, sometimes the latter.
     
    L&LD and ColinTaylor like this.
  9. miazza

    miazza Occasional Visitor

    Joined:
    May 23, 2019
    Messages:
    20
    I make it difficult to explain myself :). I think because the point is not clear to me ...
    I try again...:

    86U: Internal IP 192.168.1.1 --> ISP Private IP (Unknown) NAT/PAT --> ISP Public IP (DDNS) 37.182.x.y --->VPN UDP Port xxxx
    Clien (Mobile): ISP Private IP (Unknown) NAT/PAT --> ISP Public IP --> VPN connection according to client.ovpn file at DDNS Port xxxx

    The fact that the 86U reports the Public IP does not mean that this is the real IP assigned by the ISP that is later on natted/patted to the Public IP.

    Now, from what I can understand , the clien can easily trace the route clien ISP Private IP NAT/PAT (Unknown) --> cluent ISP Public IP --> VPN connection --> ISP Public IP 37.182.x.y --> but who is mnaging the last part of the NAT/PAT process to arrive at the 86U ?

    What happens in the very unlucky case when the Public IP (shared with more than one user) is used at the same time bat two different user to open a VPN at the same UDP port ?

    I hope the above better explain where is lack of understanding in the VPN whole routing.
     
  10. miazza

    miazza Occasional Visitor

    Joined:
    May 23, 2019
    Messages:
    20
    Indeed the question is on both sides :)
    I make it difficult to understand on both sides (client and serverr) who resolves the last part of IP natting/patting that is normally managed by the ISP.
     
  11. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,590

    Sorry, this didn't help. It is now clear as mud. :)
     
  12. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    8,847
    Location:
    UK
    I think this is where the confusion is coming from. There is no NATing or PATing by your ISP.

    37.182.x.y is your public IP address. You can see it on the router.

    EDIT: If you go to www.whatsmyip.org do you see the same 37.182.x.y address at the top of the page?
     
    Last edited: Jun 26, 2019
    L&LD likes this.
  13. miazza

    miazza Occasional Visitor

    Joined:
    May 23, 2019
    Messages:
    20
    Yes. This is the point and I'm sure there is Natting bu my ISP.
    Of course when I go to www.whatsmyip.org I see my public IP but this does not mean my ISP is not natting my IP.
    By the way, in the WAN page of the router , Inder IP WAN I see two IP:
    - 188.152.xxx.yyy
    - 169.254.xxx.yyy

    I guess the first one is the Public IP and the second one is the Private one provided by ISP ?
     
  14. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    8,847
    Location:
    UK
    Is the IP address reported by www.whatsmyip.org the same as the first entry on the WAN page of the router?
     
  15. miazza

    miazza Occasional Visitor

    Joined:
    May 23, 2019
    Messages:
    20
    Yes, the first IP is the one I see as first in the WAN page of the router.
    The secon one is just below the first and I guess it is the one assigned by the ISP before natting or patting.
     
  16. Salles

    Salles Occasional Visitor

    Joined:
    Apr 30, 2019
    Messages:
    47
    Could you share a picture to show us what you are seeing. I do not quite understand where in the GUI you are looking.
     
  17. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    8,847
    Location:
    UK
    No. It's because you're using a PPPoE connection. See this thread here.

    There is nothing you have said that would indicate that any kind of NAT or PAT is happening. The fact that you can connect to your VPN server using its DDNS address and the router's WAN address matches it's external address proves that there is no NAT/PAT.
     
    Last edited: Jul 1, 2019
    L&LD likes this.
  18. miazza

    miazza Occasional Visitor

    Joined:
    May 23, 2019
    Messages:
    20
    OK. This is a good explanation :)

    Well , that's really what it's puzzling me.
    The ISP Technical people are telling that all the IP in my town are subject to PAT and this is the reason why I made my initial question.
    If you are right (and I trust you more than the ISP people) than I can derive that a VPN like the one we can create on the 86U works only if the the ISP public IP is not PAT/NAT.

    Thanks for your assistance on this silly topic.
     
  19. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    8,847
    Location:
    UK
    What are they saying exactly. If they're saying "PAT" then I can't see any logic for that.

    If it's "NAT" then maybe it's random what address you get. The first address you said you had was 37.182.x.y, then later it was 188.152.x.y. Both of those are public addresses for Vodafone Italy. Maybe you were just lucky and on another day you might get a CGN address instead.

    Or they might be trying to explain (badly) the normal NAT and PAT that home routers do for LAN devices.
     
    miazza likes this.
  20. miazza

    miazza Occasional Visitor

    Joined:
    May 23, 2019
    Messages:
    20
    They are saying NAT and PAT ... I do not know if this have any logic ...
    Surely the puglic IP I get is a randome one among the ones available and every time I disconnect I get a new one.
    From what I have understood (with your assistance), the more probable logic is that I've been lucky till now :)