Reach OpenVPN clients directly from a private network

Upgrade to Latest Version

Introduction

This document details how to use Access Server's routing feature to provide access to connected VPN clients.

By default, Access Server uses Network Address Translation (NAT) for packet routing on the VPN. NAT is the easiest way to grant access to resources on the same network as Access Server, such as file or web servers. However, NAT traffic is basically one-way: OpenVPN clients can reach resources on the private network behind Access Server, but you can't reach the clients.

To provide direct contact with connected clients, you need to set up Access Server's routing.

Routing doesn't use address translation — Access Server forwards traffic coming from a VPN client in the VPN client subnet directly to the target private network. You must make the target network aware of where to reach the VPN client subnet.

You can do this by adding a static route to a gateway or in the target server's operating system.

Use the sections below to configure Access Server to use routing and then add the static route.

Note: We recommend you use routing for Access Server configurations involving the VOIP protocol. It typically doesn't work with NAT.

Change from NAT to routing

Access Server uses NAT by default. To change to routing:

  1. Sign in to the Admin Web UI.
  2. Click Configuration > VPN Settings.
  3. Under Routing, click Yes, using Routing for Should VPN clients have access to private subnets (non-public networks on the server side)?
  4. Click Save Settings and Update Running Server.

With routing enabled, you now have two-way traffic for Access Server, but you still need to correctly define route tables. That's because the target on the private network doesn't know how to respond to traffic from the VPN client subnet. 

To add static routes:

  1. Take note of the VPN client subnet and the Access Server IP address. (For our example, the subnet is 172.16.47.0/24 and the server IP address is 192.168.47.222.)
  2. Look up the static route table in the default gateway system on your private network.
  3. Add the appropriate static route.
    • For our example, we add this route: 
      Network 172.16.47.0 with subnet mask 255.255.255.0 to go through gateway 192.168.47.222

Traffic should now flow in both directions, from the VPN client subnet to the private network, and from the private network to the VPN client subnet.

VPN client subnets for cluster setups

If you have a high-availability setup using several Access Servers configured as a cluster, the routing and VPN client subnet features is more complicated. For details about how to use the Group Default IP Address Network to configure routing for a cluster configuration to reach connected clients see Group default IP address networks for Access Server.

Troubleshooting

Whenever you have trouble getting traffic to pass through with Access Server, you should try to determine the exact spot where things break. To visualize this we use tools like tcpdump and ping to find the point where traffic breaks. We describe this in detail on our troubleshooting reaching systems over the VPN tunnel page.