From owner-freebsd-pf@FreeBSD.ORG Wed Jun 24 21:23:56 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E4D2E1065670 for ; Wed, 24 Jun 2009 21:23:55 +0000 (UTC) (envelope-from fayerwall@gmail.com) Received: from mail-pz0-f174.google.com (mail-pz0-f174.google.com [209.85.222.174]) by mx1.freebsd.org (Postfix) with ESMTP id B5B2A8FC1E for ; Wed, 24 Jun 2009 21:23:55 +0000 (UTC) (envelope-from fayerwall@gmail.com) Received: by pzk4 with SMTP id 4so104053pzk.3 for ; Wed, 24 Jun 2009 14:23:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=nt2syO0Op5/YzV+BqynVLz2Cp51HGE7ZB52i3g39tr8=; b=w9Q7T6AG9pT/Y+O+qhsVzN06LK3ncWRon/yq6pZFPQR7kb4PCitwQjHX5PTxD5bmyw 04biwwbInD3t5uuiQTsNZ2km+Iey3JAIVyojlZV0qWGvmR6cz+AG83sXapf8mvA9TdMl 9Q63HhclHiGHu2nayyWbEcEL+tadPtoEATMcs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=OKqUXWGkLGQy9Uauj6Z/n/Dm301b0cAFbET5CJNcQm/j0I0gVsK94lospqKEZW3b/t JBILZhige4gxKzUlicHzGzZuJJTEm4jCdq2qubRoZc8/3e8JGBpR+XrNJiREEEYNRmv4 wzFcYyBEV0SiW68eoZtZ+BFIiCYtNzrxbSxGs= MIME-Version: 1.0 Received: by 10.142.86.4 with SMTP id j4mr555464wfb.111.1245878635435; Wed, 24 Jun 2009 14:23:55 -0700 (PDT) In-Reply-To: <014901c9f504$8dfbe620$a9f3b260$@net> References: <014301c9f4fb$bb7893e0$3269bba0$@net> <014901c9f504$8dfbe620$a9f3b260$@net> Date: Wed, 24 Jun 2009 14:23:55 -0700 Message-ID: From: Fire walls To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: OpenVPN Client Nat question? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jun 2009 21:23:56 -0000 On Wed, Jun 24, 2009 at 12:47 PM, Torsten Kersandt wrote: > > -----Original Message----- > > From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] > > On > > Behalf Of Fire walls > > Sent: 24 June 2009 16:53 > > To: freebsd-pf@freebsd.org > > Subject: OpenVPN Client Nat question? > > > > Hi people. > > > > Working with pf, every day I'm understanding more pf. > > > > I have openvpn at work running on gentoo, I add my openvpn in my home > FW > > with freebsd 7.2, I setup everything and is working, I can reach my work > > network. > > > > I read some sites on internet about this setup and they say something > > about NAT the openvpn network but doesn't explain if this must be done > just > > in the server side or both sides, I mean server + client. > > > > In my case I'm a client, I have to NAT my vpn network? > > > > nat on $ext_if from $vpn_network to any -> ($ext_if) > > > > Or just need to play with the pass/block rules? > > > > Thanks all for your time!!! > > > > -- > > :-) > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > > This is what I have got on my boxes > > Openvpn.conf: > > server 10.12.215.0 255.255.255.0 > > ifconfig-pool-persist /usr/local/etc/openvpn/ipp.txt > > > > # Certificates for VPN Authentication > > ca /usr/local/etc/openvpn/keys/soundnet/ca.crt > > cert /usr/local/etc/openvpn/keys/soundnet/ca.crt > > key /usr/local/etc/openvpn/keys/soundnet/ca.key > > dh /usr/local/etc/openvpn/keys/soundnet/dh1024.pem > > > > # Routes to push to the client > > push "route 192.168.100.0 255.255.255.0" > > push "dhcp-option WINS 192.168.100.12" > > push "dhcp-option DNS 192.168.100.12" > > push "dhcp-option DNS 192.168.100.12" > > push "dhcp-option DOMAIN home" > > > > pf.conf > > vpn_if="tun0" > > vpn_network="10.12.215.0/24" > > > > nat on $ext_if from $vpn_network to any -> ($ext_if) > > nat on $int_if from $vpn_network to $int_net -> ($int_if) > > > > pass in quick on $vpn_if > > pass out quick > > > > regards > > Torsten > > > > > > > Hi Torsten. > > Hey but this config is for the server side right? > > What questions is, if I have have to NAT to in the client side? > > Thanks for your quick answer!!! > > > -- > :-) > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > The client side only needs to which route to which network to take. > In this case my internal network is 192.168.100.0/24 and fully accessible > by > all openvpn connections. > > If you want your computer to fully become part (of the other sites network > bi directional and fully accessible as in a common Micros..t Network), > You may have to go down the bridging way , meaning tun0<-->ext_if, never > done that and can't help on this. > But as much as have been reading about it not a impossible thing to do > > Regards T > > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > Thanks Torsten. U already had answer my question, I appreciated your very well help and time. See u latter, thanks again!!! -- :-)