Date: Sun, 10 Nov 2019 15:46:56 +0100 From: =?UTF-8?Q?Morgan_Wesstr=c3=b6m?= <freebsd-database@pp.dyndns.biz> To: freebsd-pf@freebsd.org Subject: Re: freebsd-pf Digest, Vol 689, Issue 3 Message-ID: <1cebcd5e-d9ed-53db-2d01-c8794933d1c4@pp.dyndns.biz> In-Reply-To: <CAMnCm8gO%2BdZwEKdM3iKwrNoxNDZmFZ8EUo=Mrh0%2BOQ%2BSE_SO8w@mail.gmail.com> References: <mailman.6.1573387200.62111.freebsd-pf@freebsd.org> <CAMnCm8gO%2BdZwEKdM3iKwrNoxNDZmFZ8EUo=Mrh0%2BOQ%2BSE_SO8w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Yes. I know it's lazy, but I left the local subnet as the route default of > 192.168.1.0/24. All of my local hosts are on that subnet. . > > I'm PARTIALLY in agreement here.The OpenVPN clients are being assigned > 10.8.0.x addresses. Somehow, those addresses need to be translated into the > OpenVPN server's address to provide their access to the internet. > Here is my OpenVPN config: > Your OpenVPN config has a few lines I'd like to address. Unless you're absolutely sure you know what you're doing and has a reason to use them I'd suggest you remove the following three lines: topology subnet push "route 192.168.1.0 255.255.255.0" route 10.8.0.0 255.255.255.0 The next thing you need to check is that you have enabled routing in FreeBSD so it will forward packets between your LAN subnet 192.168.1.0/24 and the OpenVPN subnet 10.8.0.0/24. (You do not need NAT here although I suppose it would be theoretically possible. The thought has never occurred to me to be honest. I would not recommend it though.) /etc/rc.conf gateway_enable="YES" Either restart FreeBSD after this or type "service routing start". One additional thing. If you by any chance want to communicate with any of the other machines on your LAN from the VPN clients (not just Internet access), you need to add a static route for 10.8.0.0/24 pointing to 192.168.1.200 IN YOUR NETGEAR ROUTER or they won't know where to send their replies. Preferably you'd add such a route to each of your LAN machines but it's not strictly necessary since they will send any 10.8.0.0/24 packets to your router which then will route it back properly to your FreeBSD machine. This shouldn't be needed for the basic OpenVPN communication though since as far as your router is concerned, this only involves pushing udp packets to 192.168.1.200 and it already knows how to reach that ip. Your setup differs from mine so I may have forgotten something here but start with these changes and we'll see what happens. /Morgan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1cebcd5e-d9ed-53db-2d01-c8794933d1c4>