ClearFoundation Tracker - ClearOS
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0001046ClearOSapp-firewall - Firewallpublic2013-03-20 15:462013-04-22 10:23
Reporterdloper 
Assigned Todloper 
PrioritylowSeverityminorReproducibilityhave not tried
StatusclosedResolutionwon't fix 
PlatformOSOS Version
Product Version6.3.0 
Target VersionFixed in Version 
Summary0001046: OpenVPN tunnel works for clients behind firewall unless they are included in 1:1 NAT
DescriptionWhen an OpenVPN site to site tunnel is configured, workstations can access servers on the other side of the tunnel except for when a 1:1 nat rule is applied to that particular workstation.
Steps To Reproduce
Additional Information
TagsNo tags attached.
Relationships
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2013-03-20 15:46dloperNew Issue
2013-03-22 15:59dloperNote Added: 0000761
2013-03-22 20:37user2ProjectClearCenter => ClearOS
2013-03-22 20:37user2Categoryclearos-release-professional => General
2013-03-22 20:37user2Statusnew => confirmed
2013-03-22 20:37user2CategoryGeneral => app-firewall - Firewall
2013-03-22 20:37user2Target Version6.3.0 =>
2013-03-22 20:40user2Note Added: 0000762
2013-04-22 10:22dloperNote Added: 0000805
2013-04-22 10:22dloperAssigned To => dloper
2013-04-22 10:22dloperStatusconfirmed => assigned
2013-04-22 10:23dloperNote Added: 0000806
2013-04-22 10:23dloperStatusassigned => closed
2013-04-22 10:23dloperResolutionopen => won't fix

Notes
(0000761)
dloper   
2013-03-22 15:59   
This is also the case for ClearOS 5.x when hosts are part of the network and are assigned to 1:1, they are unable to reach hosts in the TUN network.

What is happening here is that the source packet is being nat'ed to the address in the 1:1 nat such that the host in the tunnel receives the packet with the public IP address represented in 1:1 instead of the internal IP as the respond-to address. The host then replies but NOT in the tunnel and the packet is received by the 1:1 alias address and is dropped because of a state violation.
(0000762)
user2   
2013-03-22 20:40   
The firewall has some special rules to handle NAT policies for IPsec VPN. These same rules likely need to be applied to OpenVPN tunnels as well.
(0000805)
dloper   
2013-04-22 10:22   
This bug is deprecated by this one extended report:

http://tracker.clearfoundation.com/view.php?id=1108 [^]
(0000806)
dloper   
2013-04-22 10:23   
Deprecated and moved to:

http://tracker.clearfoundation.com/view.php?id=1108 [^]