So I have a somhow convoluted setup where my local traffic is a local service trrafic goes to a vps and gets out from vps’s public ip address.
I have achieved this by running a gre tunnel over the VPN tunnel to the vps.
the setup works, However OUTGOING packets from local service get a different source port number once they get on gre tunnel and therefore local service marks reply as invalid.
here is how it goes:
LOCAL SERVICE >> router >> vpn(gre tunnel) >> vps >> destination on wan
consider:
a.a.a.a >> local service ip on local LAN
g.g.g.g >> gre endpoint address on Local LAN
d.d.d.d >> destination address on wan (where packets wants to go)
the packet path (slightly simplified) :
Packet FROM “a.a.a.a:1000 TO d.d.d.d:2000” Gets in the tunnel so it becomes “g.g.g.g:1500 TO d.d.d.d:2000” so It gets to the the gre endpoint on the VPS and From there Packet gets SNATed and goes out so “v.v.v.v:1500 TO d.d.d.d:2000”
The reply comes back from the destination ADDRESSD TO “v.v.v.v:1500” SO when it goes back to the local service it goes to a.a.a.a:1500 INSTEAD of a.a.a.a:1000 that it originated from.
is this behavior over gre tunnel expected? or I’m doing something Stupid?
If this is expected of gre what other protocol would you recommend.
oh BTW:
VPS is running Ubuntu server
Lan router is running pf (opnsense).


There’s an awful lot of NATing going on there, but clearly whatever did the a.a.a.a:1000->g.g.g.g:1500 translation on the way out should be doing a g.g.g.g:1500->a a.a.a:1000 translation on the responses coming back in. It would be better to eliminate that NAT operation entirely and just put the a.a.a.a:1000 packets into the tunnel, but whether that works depends on how the VPS works.