User SNAT bindings

User SNAT bindings allow administrators to assign specific public IP addresses to users for outbound traffic from defguard VPN gateways in a given location. This provides fine-grained control over how user traffic appears to external networks.

Overview

defguard administrators are able to create SNAT (Source Network Address Translation) bindings which include following information:

• location ID

• user ID

• public IP address

Once a binding is configured, when a specified user connects to a given location using one of their devices, all their traffic leaving the VPN gateway (for example to access the public internet) will appear as if originating from the configured IP address.

Configuring user SNAT bindings

Bindings can be configured through the defguard REST API, which supports following operations:

• listing all bindings for a given location

• creating a new binding

• updating an existing binding

• removing an existing binding

All the endpoints require authentication (with session cookies or API tokens) and Admin role permissions.

The details are available in the Swagger docs provided by each defguard instance.

Each modification to configured bindings triggers an update to be sent to relevant VPN gateways assigned to a given location.

Implementation details

Configured bindings are sent to relevant VPN gateways as part of their firewall configuration.

Each binding is then translated into one SNAT rule in the POSTROUTING firewall chain.

Those rules are applied before the final MASQUERADE rule which handles all the remaining outbound traffic.

The gateway itself is not aware of public IPs available on it's network interfaces, so it's important to verify that the IP address assigned to a user is indeed available. Otherwise it's possible to block all outgoing traffic for a user.