From owner-freebsd-pf@FreeBSD.ORG Wed Jun 24 20:14:07 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D7DA5106564A for ; Wed, 24 Jun 2009 20:14:07 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: from mailhost.cnc-london.net (mailhost.cnc-london.net [209.44.113.195]) by mx1.freebsd.org (Postfix) with ESMTP id 699708FC1B for ; Wed, 24 Jun 2009 20:14:07 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: (qmail 11169 invoked by uid 90); 24 Jun 2009 20:47:24 +0100 Received: from 78-105-9-127.zone3.bethere.co.uk (torsten@cnc-london.net@78-105-9-127.zone3.bethere.co.uk) by mailhost.cnc-london.net (envelope-from , uid 82) with qmail-scanner-2.05st (clamdscan: 0.95.1/9472. perlscan: 2.06st. Clear:RC:1(78.105.9.127):. Processed in 0.038869 secs); 24 Jun 2009 19:47:24 -0000 Received: from 78-105-9-127.zone3.bethere.co.uk (HELO torstenpc) (torsten@cnc-london.net@78.105.9.127) by mailhost.cnc-london.net with SMTP; 24 Jun 2009 20:47:23 +0100 From: "Torsten Kersandt" To: References: <014301c9f4fb$bb7893e0$3269bba0$@net> In-Reply-To: Date: Wed, 24 Jun 2009 20:47:05 +0100 Message-ID: <014901c9f504$8dfbe620$a9f3b260$@net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Acn1Aq23UH8GD70XQoadGS9z3UZJygAAHT4A Content-Language: en-gb Subject: OpenVPN Client Nat question? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jun 2009 20:14:08 -0000 > -----Original Message----- > From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] > On > Behalf Of Fire walls > Sent: 24 June 2009 16:53 > To: freebsd-pf@freebsd.org > Subject: OpenVPN Client Nat question? > > Hi people. > > Working with pf, every day I'm understanding more pf. > > I have openvpn at work running on gentoo, I add my openvpn in my home FW > with freebsd 7.2, I setup everything and is working, I can reach my work > network. > > I read some sites on internet about this setup and they say something > about NAT the openvpn network but doesn't explain if this must be done just > in the server side or both sides, I mean server + client. > > In my case I'm a client, I have to NAT my vpn network? > > nat on $ext_if from $vpn_network to any -> ($ext_if) > > Or just need to play with the pass/block rules? > > Thanks all for your time!!! > > -- > :-) > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > This is what I have got on my boxes > Openvpn.conf: > server 10.12.215.0 255.255.255.0 > ifconfig-pool-persist /usr/local/etc/openvpn/ipp.txt > > # Certificates for VPN Authentication > ca /usr/local/etc/openvpn/keys/soundnet/ca.crt > cert /usr/local/etc/openvpn/keys/soundnet/ca.crt > key /usr/local/etc/openvpn/keys/soundnet/ca.key > dh /usr/local/etc/openvpn/keys/soundnet/dh1024.pem > > # Routes to push to the client > push "route 192.168.100.0 255.255.255.0" > push "dhcp-option WINS 192.168.100.12" > push "dhcp-option DNS 192.168.100.12" > push "dhcp-option DNS 192.168.100.12" > push "dhcp-option DOMAIN home" > > pf.conf > vpn_if="tun0" > vpn_network="10.12.215.0/24" > > nat on $ext_if from $vpn_network to any -> ($ext_if) > nat on $int_if from $vpn_network to $int_net -> ($int_if) > > pass in quick on $vpn_if > pass out quick > > regards > Torsten > > > Hi Torsten. Hey but this config is for the server side right? What questions is, if I have have to NAT to in the client side? Thanks for your quick answer!!! -- :-) _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" The client side only needs to which route to which network to take. In this case my internal network is 192.168.100.0/24 and fully accessible by all openvpn connections. If you want your computer to fully become part (of the other sites network bi directional and fully accessible as in a common Micros..t Network), You may have to go down the bridging way , meaning tun0<-->ext_if, never done that and can't help on this. But as much as have been reading about it not a impossible thing to do Regards T