From owner-freebsd-pf@freebsd.org Sun Nov 10 23:51:37 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id EA7851B5BCE for ; Sun, 10 Nov 2019 23:51:37 +0000 (UTC) (envelope-from phil@staub.us) Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47B9lD0yRfz4X16 for ; Sun, 10 Nov 2019 23:51:35 +0000 (UTC) (envelope-from phil@staub.us) Received: by mail-ed1-x52d.google.com with SMTP id r16so10556843edq.2 for ; Sun, 10 Nov 2019 15:51:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=staub-us.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wcHjfg7IydAwo9Cj/wRtSJjbttMo26byVG7Wu72dVkE=; b=kf6qBi6TJCTtTA+tUedUqVLjIr9ofwe78YEDcWQniHhFWU3fvWMV7DRUhXUX12kvKf XU0vkqGcjL1w7qmEHjqGAuiHbXfSQNzu4ToxRMZtJbgXDrYAcoLE5huSysJV6AKsWl4Y /xP3t3hBuiIaMQsEarZzrwDkHfwBNFNSkx8QejYIAsqmsAdUnh1+U3o33+d6Q0GMK52W yx6b8rzSHJkCpaxE5yf3n/3yHC06JSdmMKRey/hQhcX9pHmnnRJPf4IhU2xJ2GXCuGx2 nhQejlkBpjpzfr/HHeGniJhNkUgP2uA65/Y4ufFqk9CbMp5l5L1cfHST2cClGg7MUDbX Rc4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wcHjfg7IydAwo9Cj/wRtSJjbttMo26byVG7Wu72dVkE=; b=gZ6lTwoH7shel7ExS/x/d1KmrGH23+WVO0HYx6iGqWUK4VyL3/alL3UJQZOn/d933f +NRMB8SwkQM/enWg9o+aieG3v1LVx87H44K2voyyjczgK++OaoCuWgw7rlcXaqKXR4PY 8qaFawCwJ7oXEkHwK2DBcO4J7PQ+FKuq69zGhraPUiuiXSfB7bbfPi1UoLXKEJwF3LVU SkCRESheLvWF1P3MDvG2QmPJpztcHvIgD6j3RTeAHuQcL/L/0kkhGiaRUIiWvhXPwLiH kvmNQM7laii49D51g5DfsSL+8M7kJvltKQzuqN/o5mMZI5rzVNJW/1N8DGPO5QMQu/Yv pglw== X-Gm-Message-State: APjAAAXoy7Btc/R6vJnrITqO5DIwuOddhSHwL0ZQTUqOzJ6MKcPzejsh K+0Nt+eLa0xhtpEQV6X2ew088CrlzJZSEnicXEHEhw== X-Google-Smtp-Source: APXvYqzP7QNMqduussWHvmQIC2+Kmnz+Jfo03AALoH/zs7ynaVO/QdjCdzW2XmHKiaq04pxHg8/L517W+ECA8pbJqRE= X-Received: by 2002:a50:8859:: with SMTP id c25mr23131127edc.253.1573429893806; Sun, 10 Nov 2019 15:51:33 -0800 (PST) MIME-Version: 1.0 References: <1cebcd5e-d9ed-53db-2d01-c8794933d1c4@pp.dyndns.biz> <80ec074d-7a5d-7016-57e4-f607384d0e20@pp.dyndns.biz> In-Reply-To: From: Phil Staub Date: Sun, 10 Nov 2019 18:51:22 -0500 Message-ID: Subject: Re: Fwd: NAT for use with OpenVPN To: =?UTF-8?Q?Morgan_Wesstr=C3=B6m?= Cc: freebsd-pf@freebsd.org X-Rspamd-Queue-Id: 47B9lD0yRfz4X16 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=staub-us.20150623.gappssmtp.com header.s=20150623 header.b=kf6qBi6T; dmarc=none; spf=none (mx1.freebsd.org: domain of phil@staub.us has no SPF policy when checking 2a00:1450:4864:20::52d) smtp.mailfrom=phil@staub.us X-Spamd-Result: default: False [-4.17 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[staub-us.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; DMARC_NA(0.00)[staub.us]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[staub-us.20150623.gappssmtp.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[d.2.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; HTTP_TO_IP(1.00)[]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; IP_SCORE(-2.87)[ip: (-9.54), ipnet: 2a00:1450::/32(-2.75), asn: 15169(-2.00), country: US(-0.05)]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Nov 2019 23:51:38 -0000 On Sun, Nov 10, 2019 at 5:27 PM Morgan Wesstr=C3=B6m < freebsd-database@pp.dyndns.biz> wrote: > > Do packets with 10.8.0.x addresses ever actually make it on the wire > > between the router and the OpenVPN server? I was under the impression > that > > the encrypted packets created a tunnel at which the IP address is only > > known at the endpoints, which means the OpenVPN client and server > > processes, and nothing in between has any access to anything that is > going > > on within the tunnel. If this is the case, I wouldn't think the router > > needs to know how to deal with 10.8.0.x packets. > > > > Furthermore, this pretty much HAS to be the case. The 10.8.0.x addresse= s > > can't be routed across the internet, so the only way they could exist o= n > my > > private network would be as a result of NATing on the part of the route= r, > > and I'm pretty sure this isn't happening. > > > > But then this re-opens the question of how the connection happens betwe= en > > the server end of the tunnel (10.8.0.1) and the public interface at > > 192.168.1.200. It would seem that there needs to be some routing > > information within OpenVPN that makes that connection. > > > > Am I way off here? > > > > Phil > > Look at it this way. The VPN software has the same effect as if the > client was located in your house and directly connected with a cable to > your 10.8.0.0/24 subnet. Any configuration to support this must be done > on the FreeBSD machine as well as your router. The router will > definitely see the 10.8.0.0/24 addresses on its LAN interface but as you > note, these addresses will never show up on the external interface. Your > NAT will exchange these addresses on the fly and any traffic between the > OpenVPN endpoints will be encrypted and encapsulated in another ip > packet where only the external public ip addresses are shown. > > At this point I started to write a detailed description of how a packet > is transferred from your client over the VPN tunnel and then onto the > Internet and to its destination but it got overly complicated and > probably won't help you at this point. :) Let's instead start to get > some more info from your network. When your client is connected, can you > please provide the output of the following commands on both the client > and the FreeBSD machine? > > # ifconfig -a > > # netstat -rn > > I need to see how the ip stack is configured on each machine and how the > routing tables look. > > OK. Here it comes: root@threepio:/usr/local/etc/openvpn # netstat -rn Routing tables Internet: Destination Gateway Flags Netif Expire default 192.168.1.1 UGS em0 10.8.0.0/24 10.8.0.2 UGS tun0 10.8.0.1 link#4 UHS lo0 10.8.0.2 link#4 UH tun0 127.0.0.1 lo0 UHS lo0 192.168.1.0/24 link#1 U em0 192.168.1.200 link#1 UHS lo0 192.168.1.201 link#1 UHS lo0 Internet6: Destination Gateway Flags Netif Expire ::/96 ::1 UGRS lo0 ::1 lo0 UHS lo0 ::ffff:0.0.0.0/96 ::1 UGRS lo0 fe80::/10 ::1 UGRS lo0 fe80::%lo0/64 link#2 U lo0 fe80::1%lo0 link#2 UHS lo0 fe80::%tun0/64 link#4 U tun0 fe80::6a05:caff:fe3b:a7c7%tun0 link#4 UHS lo0 ff02::/16 ::1 UGRS lo0 root@threepio:/usr/local/etc/openvpn # ifconfig -a em0: flags=3D8843 metric 0 mtu 1500 options=3D81249b ether 68:05:ca:3b:a7:c7 inet 192.168.1.200 netmask 0xffffff00 broadcast 192.168.1.255 inet 192.168.1.201 netmask 0xffffff00 broadcast 192.168.1.255 media: Ethernet autoselect (1000baseT ) status: active nd6 options=3D29 lo0: flags=3D8049 metric 0 mtu 16384 options=3D680003 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 groups: lo nd6 options=3D21 lo1: flags=3D8008 metric 0 mtu 16384 options=3D680003 groups: lo nd6 options=3D29 tun0: flags=3D8051 metric 0 mtu 1500 options=3D80000 inet6 fe80::6a05:caff:fe3b:a7c7%tun0 prefixlen 64 scopeid 0x4 inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff groups: tun nd6 options=3D21 Opened by PID 15992 _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > --=20 Phil Staub phil@staub.us