Ultra 4 Doublenat Solved With Teleport Vpn
What Finally Fixed It?
It is a client’s system, though I say “I” and “my”.
The key fix that made the double nat compromised Teleport VPN work was setting up the correct NAT (Masquerade) rule on UniFi Ultra, ensuring that VPN traffic from 10.10.0.0/24 was properly routed to the WAN (eth4) and forwarded through the ISP.
✅ The Key Fixes That Made It Work
Here’s a step-by-step breakdown of what I changed that led to success:
1️⃣ Found the Issue: VPN Clients Had No Internet Access
• I noticed that when connecting via VPN, internet traffic wasn’t working.
• I checked the UniFi Ultra’s WAN IP (192.168.40.229) and found that it was behind an ISP router (212.132.163.x), creating a Double NAT setup.
• UniFi Ultra was missing a NAT rule to handle VPN client traffic (10.10.0.0/24) and send it through its WAN (eth4).2️⃣ Added a Correct NAT (Masquerade) Rule on UniFi Ultra
• I tried to modify an existing NAT rule, but the VPN network wasn’t listed.
• Instead, I created a new NAT rule in UniFi Ultra’s GUI:
• Source Network: 10.10.0.0/24 (VPN Clients)
• Destination: 0.0.0.0/0 (Internet)
• Interface: eth4 (WAN, 192.168.40.229)
• Protocol: ANY
• Translated IP: Left Blank (or “Use WAN Address”)
• Action: Masquerade (NAT)✅ This rule ensured that VPN users’ traffic was NAT-ed and forwarded to the ISP router.
3️⃣ Verified That the ISP Router Allowed NAT Traffic
• Since my ISP router didn’t allow a DMZ setup, I had to make sure:
• It wasn’t blocking outbound NAT traffic from 192.168.40.229.
• NAT was open enough to allow VPN traffic out through 212.132.163.x4️⃣ Persistent NAT Fix
• Since UniFi Ultra doesn’t use /etc/network/interfaces, I made the rule persist:
• By using startup scripts (/etc/rc.local):iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -o eth4 -j MASQUERADE
• This ensured the NAT rule remained active after rebooting.5️⃣ Final Verification: Your Swiss Laptop Showed a UK IP!
• I reconnected the VPN and ran:curl ifconfig.me
• Expected Result: The UK public IP (212.132.163.2xx) appeared.
• Confirmed that ALL traffic was being routed via the UK! 🎉🚀 Summary of the Fix
✅ Created a new NAT rule for VPN users (10.10.0.0/24).
✅ Masqueraded VPN traffic on eth4 (192.168.40.229).
✅ Ensured outbound NAT worked via ISP router (212.132.163.x).
✅ Made the NAT rule persistent using startup scripts.
✅ Verified the fix when VPN users got a UK IP (curl ifconfig.me).
💡 Why It Took So Long to Solve
• UniFi Ultra didn’t list the VPN network in the GUI, forcing me to manually add a NAT rule.
• The ISP’s router blocked DMZ etc, so I had to work around double NAT issues.
• UniFi Ultra doesn’t use /etc/network/interfaces, so I had to use an alternative method to persist NAT rules.🔧 It was a complex networking issue, but several days and nights (!) persistence and methodical troubleshooting paid off. 🎯
🚀 What’s Next?
• ✅ Check stability after a reboot.
• ✅ Run a speed test to check performance.
• ✅ Test sites to confirm UK location is consistent.
• ✅ If needed, optimise MTU settings for best performance.🎉 Now the client has built a bulletproof, always-on UK VPN solution! 🔧🚀