Date: Sun, 22 Feb 2015 13:44:17 -0500 (EST) From: freebsd@fongaboo.com To: freebsd-questions@freebsd.org Subject: Re: OpenVPN with NAT Message-ID: <alpine.BSF.2.00.1502221339280.8732@helix.wtfayla.net> In-Reply-To: <alpine.BSF.2.00.1502221313310.8732@helix.wtfayla.net> References: <3kWFlD70VnzRRrw@baobab.bilink.it> <20150126213658.48423c08.freebsd@edvax.de> <alpine.BSF.2.00.1502221313310.8732@helix.wtfayla.net>
next in thread | previous in thread | raw e-mail | index | archive | help
P.S. I believe I enabled the server to be a gateway immediately (without reboot) with: sysctl net.inet.ip.forwarding=1 > sysctl -a | grep forwarding net.inet.ip.forwarding: 1 I also had to do kldload ipdivert and kldload ipfw_nat before I could get a lot of what I described to run without error (however, still non-functional). On Sun, 22 Feb 2015, freebsd@fongaboo.com wrote: > > Have a FreeBSD 10 box I have set up with OpenVPN. I've gotten it working, > terminating at the server, with both a FreeBSD and a Windows client. > > Now I am trying to route Internet traffic through the VPN and out the > server's gateway. From what I have read, it involves: > > 1) Configuring the FreeBSD server to be a gateway router: > > gateway_enable="YES" (in /etc/rc.conf) > > 2) Enabling gateway redirection in OpenVPN on the server: > > push "redirect-gateway def1 bypass-dhcp" (in > /usr/local/etc/openvpn/openvpn.conf) > > 3) NAT'ing the OpenVPN clients to the WAN interface of the server: > > From what I've read, this can be done three ways: > > A) Using IPFW and NATD > > B) Using IPFW and kernel-based NAT > > C) Using NAT functions in PF > > > At the moment, I don't really want to go for option C, although open to it in > the long-run. But switching to PF would require getting myself, and others > working on this box, up to speed on PF... and recreating all my existing IPFW > rules in PF. > > I've tried Option B, by entering IPFW rules such as: > > ipfw nat 1 config if em0 > ipfw add nat 1 all from 10.8.0.0/24 to any out via bge0 > ipfw add nat 1 all from any to any in via bge0 > > And I've tried Option A by enabling NATD as described below in a post from > last month. Unlike that poster, I want ALL my clients to route out through > the VPN gateway. So I tried the 'unrefined' line as it is displayed below. > > In all cases, the OpenVPN client does take over the gateway, but traffic goes > nowhere. Nothing seems to make it out the external interface and back. NAT > seems not to be succeeding no matter what I do. Any advice? TIA > > > On Mon, 26 Jan 2015, Polytropon wrote: > >> On Mon, 26 Jan 2015 16:45:16 +0100, Luciano Mannucci wrote: >>> I have a freebsd machine (FreeBSD troika 10.1-RELEASE FreeBSD 10.1-RELEASE >>> #0 >>> r274401) with openvpn that works like a charm :-)... >>> I wish to nat one and only one of my openvpn clients, possibly for a >>> single destination. What's the better way to avoid disturbing the rest >>> of the operations? >>> Any clues? >>> Is IPFW my friend? >> >> Yes, that should work. In /etc/rc.conf, set >> >> natd_enable="YES" >> natd_interface="xl0" >> >> where "xl0" is the "outer" interface. >> >> In your custom /etc/ipfw.conf, add the rule >> >> add divert natd ip from any to any via xl0 >> >> and refine the "from any to any" part to reflect the >> IP addresses (and maybe specific ports) for the connection >> you want to translate, so the rule will only allow for >> that _one_ destination you want to enable. >> >> >> -- >> Polytropon >> Magdeburg, Germany >> Happy FreeBSD user since 4.0 >> Andra moi ennepe, Mousa, ... >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "freebsd-questions-unsubscribe@freebsd.org" >> > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1502221339280.8732>