Does OpenVPN use NAT?

How does OpenVPN NAT work?

OpenVPN implements NAT using Batch NAT, a variant of the NAT standard developed by RFC 4789.

The basic operation is this: when packets are received from external hosts via the TCP/UDP listeners, NAT code inserts a new IP address for the connection. Any packets exchanged between clients and servers on the VPN also appear to be from the newly assigned IP addresses. Packets from local hosts, that is, hosts within the VPN subnet, do not take into account this new host address. Thus, it is impossible for a TCP or UDP listener (that resides within the VPN, and thus has the same IP address as its client or server) to know the true end-point of a conversation. This can have a significant effect on applications which rely on TCP and UDP streams, as these require end-to-end communication and the ability to correctly identify the source and destination endpoints. In the default configuration, OpenVPN does not alter the ports used for the TCP/UDP streams within the protected subnet; these are either randomly chosen for each client or server to the network (as per the RFC requirements), or set by the application itself, as discussed in chapter 13.9 of the user manual. Note that this is only true for the internal TCP and UDP streams; there is still no port translation happening when remote hosts perform UDP connections over the VPN and receive their answer back in the normal fashion. So, all UDP and TCP streams will be seen originating and ending at the public IP address of the listener, which has the correct local IP, because the NAT process has translated this value and provided a new, "internal" IP address for the endpoint. In summary, here are the cases when OpenVPN Batch NAT may happen (1) An internal TCP or UDP stream that travels across the VPN arrives at an endpoint on the protected subnet.

(2) A TCP or UDP connection from a host on the protected subnet arrives at an endpoint on the protected subnet. In both cases, the packet appears to come from the public IP address of the listening TCP or UDP endpoint. Therefore, it will be the TCP and UDP streams that need a fix.

The NAT rules used by OpenVPN. OpenVPN NAT rules are configured by setting the appropriate variables in the config file as described below.

Does OpenVPN use NAT?

How many hops are possible?

Can a client connect to many server simultaneously? These questions appear to be answered below, but I have not yet found a good summary.

I apologize for asking about such a basic aspect of VPNs, but I am looking for some insight before using this software as my VPN provider. OpenVPN uses TCP/IP and OpenSSH (on windows it uses WinScp, an open source wrapper) which does not perform NAT like Cisco's IPSec (if I'm correct). Instead, with OpenVPN, you define your own routes. A client can create a route with every server it wants to reach. It will send traffic via a series of tunnels and then send it all back to the first server that it routed the traffic back to through. Is this right?
Let's say a person is on the west coast of the US and wants to access one of five servers. On the east coast, how many hops are necessary? This is the most basic way of thinking about it: west -> east -> . The router can find another route, using OpenVPN again, or a NAT server.

Should I use NAT or routing in OpenVPN?

I've been reading up on VPNs recently, and I'm trying to figure out the best setup for my home network.

I currently have one wireless router connected to an Ethernet switch and two Ethernet connections (one going to a computer, the other going to a printer), and the main Ethernet connection goes through my cable modem. All computers, printers, and network equipment are in the basement.

It's important that all the computers be able to access the Internet through this network, so I was thinking about making an OpenVPN server on a new computer running a Debian Linux install (I prefer Debian over Windows because it's more secure). The computer will have two Ethernet ports, and I'll use the first port to connect a wireless router with the external (or "ext") IP address that the OpenVPN server provides. The second port will be configured as a bridge to make the internal and external networks merge into one. What I'd like to know is:

If I use NAT, the computers connected to the server will automatically use the ext IP address, but will need to use the ext IP address when they're connected to my cable modem. How can I make them use the internal network instead, so they can communicate on the internal network as well as the external? If I use routing, I can connect the router to the cable modem, and the computers will not need to use the ext IP address. How can I get the router to direct network traffic to my internal network? You need to ensure your clients are using the correct IP address. If you want to run a NAT instance on a box and have all its internet activity pass through an OpenVPN instance then you need to tell clients to use your VPN endpoint in their routing configuration and point their default gateway to the OpenVPN's interface.

What is the difference between OpenVPN routed and NAT?

I'm running a VPN server with an OpenVPN tunnel.

When I'm connecting from my iPhone to the VPN server, my traffic is routed via OpenVPN. However when I'm trying to connect to the VPN server from a remote computer, the OpenVPN server is connected to my router using NAT.

What's the difference between both connections? Is it possible that it has to do with the port forwarding settings I've made on the router? Assuming the VPN server is actually on your LAN and you're trying to connect to it remotely, NAT allows you to access services on your LAN (or on a WAN-facing Internet Gateway) by pointing your computer's local network address (192.168.x for example) to their external IP addresses. In other words, the VPN server will only act as a gateway for remote hosts to talk to each other. It won't actually route traffic across the Internet.

In order for the VPN server to do its job of routing traffic, it needs to be directly connected to the public Internet (or to a private WAN-facing Internet Gateway that is also connected to the Internet). If you wanted to connect to the VPN server from a remote computer, you would have to NAT the connection because your VPN server would not be directly connected to the Internet.

Related Answers

What is NAT traversal in VPN?

I bought a new modem, but it doesn't work with my softether network. I...

How to configure NAT in OpenVPN?

I have a client, connected to a server on my LAN. How can I connec...

How to setup VPN server behind NAT?

I have a server that is running Ubuntu 16. 04 and has 2 network...