Date: Sat, 4 Jul 2020 15:37:30 -0400 From: Aryeh Friedman <aryeh.friedman@gmail.com> To: Ultima <ultima1252@gmail.com> Cc: Bob Willcox <bob@immure.com>, questions list <freebsd-questions@freebsd.org> Subject: Re: Routing IP traffic from client through server openvpn tunnel? Message-ID: <CAGBxaXnPDYm00eDaHe8-rmyhtCx0oGzCdOgQu38GKKunCiRufg@mail.gmail.com> In-Reply-To: <CANJ8om5-rm%2BNYik0Gpt9xh=Ci6cjwQ4vzOzqHsYcJLWFToRR=Q@mail.gmail.com> References: <20200704133607.GA91599@rancor.immure.com> <CANJ8om5-rm%2BNYik0Gpt9xh=Ci6cjwQ4vzOzqHsYcJLWFToRR=Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jul 4, 2020 at 3:11 PM Ultima <ultima1252@gmail.com> wrote: > The other workaround would be to setup nating on your side, but I would > recommend against this if avoidable. > What's wrong with a NAT they are often the only time to handle cases where one side of the connection (typically your ISP but in theory other things like VM's and the alike). NAT's also (if properly configured) serve as a very effective and trivial to configure poorman's firewall (no need to make weird rules for different ports/services since it is automatically a one-way routing [you have full routing to the public side of the NAT but the public side has no routing into the private side). For example I use double NAT'ing on my home network (since I have always worked at home as a freelancer it is also my "office" LAN) where I put any devices that are WiFi only (no physical RJ-45 jack) on the NAT that is formed by my ISP router and then I use desktop router for all the wired connections. This makes it if somehow someone is able to get onto the WiFi despite the encryption they can not get to anything important (the printer is the only thing on the WiFi NAT) and if some does manage to get into the ISP NAT they will not get past the desktop router one (remember unless you know it is there a NAT is totally invisible to the public side of the connection). Please note that I do medical software development and thus by law *MUST* be HIPAA compliant (among other things end-to-end security and other security safeguards). The above setup meets and likely exceeds those requirements. -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGBxaXnPDYm00eDaHe8-rmyhtCx0oGzCdOgQu38GKKunCiRufg>