NAT and Routing

Network Address Translation (NAT) is the default routing mechanism for Access Server. It grants access to resources near Access Server, such as a web or file server.

With NAT, Access Server translates the source address of information packets from VPN clients in the VPN client subnet to the Access Server's local private IP address. Then, it sends the information to the private network and the target system, making the traffic look like local traffic within the private subnet. That way, you don't need to introduce the VPN client subnet IP addresses into the private network behind Access Server.

Using NAT like this means you don't have to set up additional routes, and the target system can simply respond back within the local network without involving a gateway system. It's all seen as local traffic. However, it also means no direct path from the private network behind Access Server to the VPN client subnet. NAT provides one-way network traffic — from VPN clients to the private network. It's similar to a firewall in this way. The OpenVPN clients remain unreachable from your private network but can access resources in that private network.

Routing requires a more advanced configuration than NAT. You can enable it for use cases where you need two-way traffic between your private network behind Access Server and connected clients.

With routing, there's no address translation. Access Server forwards VPN client traffic from the VPN client subnet to the target private network as-is. The target network must then know where to reach the VPN client subnet. This requires adding a static route in the target private network's default gateway or in the targeted server's operating system.

The static route points to Access Server's private IP address in the private network, and traffic can then go in two directions, initiated from either side.