Results 1 to 3 of 3
  1. #1
    Newbie
    Join Date
    May 2014
    Posts
    7

    Default Untangle 10 OpenVPN NATing - Can it be turned off?

    Hi all,

    I've been having issues crop up and I'm pretty sure it's from VPN NATing that's turned on by default starting in Untangle 10. I'm wondering if there's a way to disable it (can't see the ability to disable it in the GUI). Specifically for site to site implementations which is our setup. Below are the problems I've found that I believe are being caused by the NATing on the VPN's.

    Microsoft DC locator service (affects, AD site determination which effects alot of other services, like DFS referrals)
    This is causing me a lot of grief. It started off DFS referrals not pointing to the proper servers. Users at remote sites had referrals pointing to servers at the main site, not their local site, shooting VPN traffic through the roof. Been working with Microsoft for weeks on this problem. What we found was that servers and clients at the remote sites are not correctly determining their AD site. This is a function/affect of the DC locator service. Doing a bunch of netmon traces and logging it was found NATing was going on with the VPN's which was messing up the process. It's lengthy to fully explain but clients at remote sites where getting responses back from servers believing their address was the main site's Untangle. Since that address is in the main sites AD subnet it would determine the wrong AD site. From there other services start having problems. The big one for us was DFS referrals but any service that relies on AD sites will get messed up.

    VMware Vcenter
    This isn't really affecting staff but it's a big issue for the backend. I can't determine the exact cause that starts the problem but multiple times remote ESXi hosts will disconnect from VCenter. This in it's self isn't huge since it should try to reconnect. The problem is that VCenter has the same behavior as the above DClocator service. Vcenter sees the remote ESXi host not as it's real IP address but as the main site's Untangle. I can eventually get it to work by removing and re-adding the remote ESXi host but that's not a long term solution.

    Oh and just a side note, we've been using Untangle and it's OpenVPN for around 5 years. It's just recently with version 10 and up that these issues started appearing.
    Last edited by Parkland; 05-29-2014 at 09:54 AM.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,543

    Default

    OpenVPN doesn't NAT by default in Untangle 10. This is misinformation that I've sadly helped spread.

    Untangle 10 will NAT according to the NAT policies you define. If you've added any NAT policies, you've likely done so in error, and your rules are over matching. THAT will cause Untangle to NAT many things, including OpenVPN when it shouldn't.

    Also, you really should consider switching to IPSec for site-to-site work, it's much faster. As much as I HATE that protocol, the performance gains in AD replication specifically are well worth it.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    It does NAT.
    No. Sorry, it can't be disabled.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2