OpenVPN with NAT/PAT

[miazza]

Hello guys, I have configured a OpenVPN on my Asus 86U and I’m quite happy with it.

Anyhow I think I need some explanation (I’m a noob) about how this VPN works in an environment where my IP is NAT/PAT by the ISP.

I try to better explain what I cannot understand:

· My 86U manage a VPN with a specific UDP port on a private IP that is assigned by the ISP to my router. This private IP is later on NAT/PAT by the ISP to a public IP (that, as far as I have understood, it is unknown at the router)

· Only the private IP is associated with DDNS service

· My mobile (the host where I need to connect at the VPN), with OpenVPN app installed, connects to the VPN using the DDNS private IP information and the UDP port assigned to the VPN by the 86U (according to client.ovpn file created by the router)

The question is: who is telling the route from the public IP of my mobile to the public IP associated to the 86U private IP ? And viceversa ?

Surely I’ve not understood this NAT/PAT process and I'm aking a wrong question but , hopefully, someone of you can explain me how the process works ... because the process works very well

 

[ColinTaylor]

· My 86U manage a VPN with a specific UDP port on a private IP that is assigned by the ISP to my router. This private IP is later on NAT/PAT by the ISP to a public IP (that, as far as I have understood, it is unknown at the router)

· Only the private IP is associated with DDNS service

I don't think this can be the case. Private IP addresses are not routable across the internet. Therefore your VPN server must have a public IP address.

What is the first octet of your WAN IP address as shown on the router's Network Map page? e.g. 82.x.y.z.

 

[miazza]

I don't think this can be the case. Private IP addresses are not routable across the internet. Therefore your VPN server must have a public IP address.

What is the first octet of your WAN IP address as shown on the router's Network Map page? e.g. 82.x.y.z.

Right now I have 37.182.x.y

 

[L&LD]

Right now I have 37.182.x.y

Yes, that is a public IP.

 

[miazza]

OK, this explains almost all of my question .
But in this case who tells to the public IP the private IP of the router ?
Going out it is clear , the 86U trace the routing through the UDP port but, coming back from mobile who is providing the NAT/PAT information from public to private IP ?
Is this information embedded in the DDNS ?

 

[L&LD]

OK, this explains almost all of my question .
But in this case who tells to the public IP the private IP of the router ?
Going out it is clear , the 86U trace the routing through the UDP port but, coming back from mobile who is providing the NAT/PAT information from public to private IP ?

The OpenVPN configuration file does. The router has two IP's, one outward facing (the same public IP) and the internal LAN IP you have configured.

 

[ColinTaylor]

But in this case who tells to the public IP the private IP of the router ?

What?

 

[eibgrad]

I have configured a OpenVPN on my Asus 86U and I’m quite happy with it.

Would help if the OP was more specific, OpenVPN *client* or *server*? Because when I reread the OP's post, sometimes it sounds like the former, sometimes the latter.

 

[miazza]

What?

I make it difficult to explain myself . I think because the point is not clear to me ...
I try again...:

86U: Internal IP 192.168.1.1 --> ISP Private IP (Unknown) NAT/PAT --> ISP Public IP (DDNS) 37.182.x.y --->VPN UDP Port xxxx
Clien (Mobile): ISP Private IP (Unknown) NAT/PAT --> ISP Public IP --> VPN connection according to client.ovpn file at DDNS Port xxxx

The fact that the 86U reports the Public IP does not mean that this is the real IP assigned by the ISP that is later on natted/patted to the Public IP.

Now, from what I can understand , the clien can easily trace the route clien ISP Private IP NAT/PAT (Unknown) --> cluent ISP Public IP --> VPN connection --> ISP Public IP 37.182.x.y --> but who is mnaging the last part of the NAT/PAT process to arrive at the 86U ?

What happens in the very unlucky case when the Public IP (shared with more than one user) is used at the same time bat two different user to open a VPN at the same UDP port ?

I hope the above better explain where is lack of understanding in the VPN whole routing.

 

[miazza]

I have configured a OpenVPN on my Asus 86U and I’m quite happy with it.

Would help if the OP was more specific, OpenVPN *client* or *server*? Because when I reread the OP's post, sometimes it sounds like the former, sometimes the latter.

Indeed the question is on both sides
I make it difficult to understand on both sides (client and serverr) who resolves the last part of IP natting/patting that is normally managed by the ISP.

 

[L&LD]

I make it difficult to explain myself . I think because the point is not clear to me ...
I try again...:

86U: Internal IP 192.168.1.1 --> ISP Private IP (Unknown) NAT/PAT --> ISP Public IP (DDNS) 37.182.x.y --->VPN UDP Port xxxx
Clien (Mobile): ISP Private IP (Unknown) NAT/PAT --> ISP Public IP --> VPN connection according to client.ovpn file at DDNS Port xxxx

The fact that the 86U reports the Public IP does not mean that this is the real IP assigned by the ISP that is later on natted/patted to the Public IP.

Now, from what I can understand , the clien can easily trace the route clien ISP Private IP NAT/PAT (Unknown) --> cluent ISP Public IP --> VPN connection --> ISP Public IP 37.182.x.y --> but who is mnaging the last part of the NAT/PAT process to arrive at the 86U ?

What happens in the very unlucky case when the Public IP (shared with more than one user) is used at the same time bat two different user to open a VPN at the same UDP port ?

I hope the above better explain where is lack of understanding in the VPN whole routing.

Sorry, this didn't help. It is now clear as mud.

 

[ColinTaylor]

Indeed the question is on both sides
I make it difficult to understand on both sides (client and serverr) who resolves the last part of IP natting/patting that is normally managed by the ISP.

I think this is where the confusion is coming from. There is no NATing or PATing by your ISP.

37.182.x.y is your public IP address. You can see it on the router.

EDIT: If you go to www.whatsmyip.org do you see the same 37.182.x.y address at the top of the page?

 

[miazza]

I think this is where the confusion is coming from. There is no NATing or PATing by your ISP.

37.182.x.y is your public IP address. You can see it on the router.

EDIT: If you go to www.whatsmyip.org do you see the same 37.182.x.y address at the top of the page?

Yes. This is the point and I'm sure there is Natting bu my ISP.
Of course when I go to www.whatsmyip.org I see my public IP but this does not mean my ISP is not natting my IP.
By the way, in the WAN page of the router , Inder IP WAN I see two IP:
- 188.152.xxx.yyy
- 169.254.xxx.yyy

I guess the first one is the Public IP and the second one is the Private one provided by ISP ?

 

[ColinTaylor]

Yes. This is the point and I'm sure there is Natting bu my ISP.
Of course when I go to www.whatsmyip.org I see my public IP but this does not mean my ISP is not natting my IP.
By the way, in the WAN page of the router , Inder IP WAN I see two IP:
- 188.152.xxx.yyy
- 169.254.xxx.yyy

I guess the first one is the Public IP and the second one is the Private one provided by ISP ?

Is the IP address reported by www.whatsmyip.org the same as the first entry on the WAN page of the router?

 

[miazza]

Is the IP address reported by www.whatsmyip.org the same as the first entry on the WAN page of the router?

Yes, the first IP is the one I see as first in the WAN page of the router.
The secon one is just below the first and I guess it is the one assigned by the ISP before natting or patting.

 

[Salles]

Yes, the first IP is the one I see as first in the WAN page of the router.
The secon one is just below the first and I guess it is the one assigned by the ISP before natting or patting.

Could you share a picture to show us what you are seeing. I do not quite understand where in the GUI you are looking.

 

[ColinTaylor]

The second one is just below the first and I guess it is the one assigned by the ISP before natting or patting.

No. It's because you're using a PPPoE connection. See this thread here.

Yes, the first IP is the one I see as first in the WAN page of the router.

There is nothing you have said that would indicate that any kind of NAT or PAT is happening. The fact that you can connect to your VPN server using its DDNS address and the router's WAN address matches it's external address proves that there is no NAT/PAT.

 

[miazza]

No. It's because you're using a PPPoE connection. See this thread here.

OK. This is a good explanation

There is nothing you have said that would indicate that any kind of NAT or PAT is happening. The fact that you can connect to your VPN server using its DDNS address and the router's WAN address matches it's external address proves that there is no NAT/PAT.

Well , that's really what it's puzzling me.
The ISP Technical people are telling that all the IP in my town are subject to PAT and this is the reason why I made my initial question.
If you are right (and I trust you more than the ISP people) than I can derive that a VPN like the one we can create on the 86U works only if the the ISP public IP is not PAT/NAT.

Thanks for your assistance on this silly topic.

 

[ColinTaylor]

The ISP Technical people are telling that all the IP in my town are subject to PAT and this is the reason why I made my initial question.

What are they saying exactly. If they're saying "PAT" then I can't see any logic for that.

If it's "NAT" then maybe it's random what address you get. The first address you said you had was 37.182.x.y, then later it was 188.152.x.y. Both of those are public addresses for Vodafone Italy. Maybe you were just lucky and on another day you might get a CGN address instead.

Or they might be trying to explain (badly) the normal NAT and PAT that home routers do for LAN devices.

 

[miazza]

What are they saying exactly. If they're saying "PAT" then I can't see any logic for that.

If it's "NAT" then maybe it's random what address you get. The first address you said you had was 37.182.x.y, then later it was 188.152.x.y. Both of those are public addresses for Vodafone Italy. Maybe you were just lucky and on another day you might get a CGN address instead.

Or they might be trying to explain (badly) the normal NAT and PAT that home routers do for LAN devices.

They are saying NAT and PAT ... I do not know if this have any logic ...
Surely the puglic IP I get is a randome one among the ones available and every time I disconnect I get a new one.
From what I have understood (with your assistance), the more probable logic is that I've been lucky till now