From owner-freebsd-pf@freebsd.org  Thu Nov  7 20:49:26 2019
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9CF901786CA
 for <freebsd-pf@mailman.nyi.freebsd.org>; Thu,  7 Nov 2019 20:49:26 +0000 (UTC)
 (envelope-from pestaub@gmail.com)
Received: from mail-vs1-xe29.google.com (mail-vs1-xe29.google.com
 [IPv6:2607:f8b0:4864:20::e29])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 478FrP21Q9z4K0Y
 for <freebsd-pf@freebsd.org>; Thu,  7 Nov 2019 20:49:25 +0000 (UTC)
 (envelope-from pestaub@gmail.com)
Received: by mail-vs1-xe29.google.com with SMTP id 190so2247402vss.8
 for <freebsd-pf@freebsd.org>; Thu, 07 Nov 2019 12:49:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=staub-us.20150623.gappssmtp.com; s=20150623;
 h=mime-version:from:date:message-id:subject:to;
 bh=lZUFHodRSwy/7lJvSQoYsOl9LTKJUnz9pUyM7SNsbA8=;
 b=FR2ejGzh0Jyi/G0MF+jfM4IR1H132+kCQ1JlyMCydJSWe0Q9t2+fhgjAtOHa83JTQz
 QjPbCebeP+sH+u5A/MjieV9diiX6EP3VyHNjnBdjcjoe4dXcl5sBcTjstV+FVQGTVjnE
 AlXRT3BDnqrsN3X0+yXMWHlCOJbgrf0EPZ2z+bJZsvaumORQJD+wj7w2DQ8e1JP+Mv2z
 DAY/4p2I3ROCa/qT9v9yn3YpQYAOUjghiESYlljlclLrsVO2bRhzTz00Au/IKQHXVKzJ
 ubs4hbM4NAbN9fJyh0kEbt4b6xkJifq0Uz/p2Ekhxwg3PpAydazBqPmhQFUhFQVK5gjL
 TH1Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=lZUFHodRSwy/7lJvSQoYsOl9LTKJUnz9pUyM7SNsbA8=;
 b=nCqAgWJl7DuFHpyZ4T9svduN+Ujvv5WeJg6hhGR/I3nExet90vXdnOmvJEHaMWoMoc
 wegTsfwLKCqJ3dTM5kJ8otls8SPg61URLpbsvPRlYfJh5f4IXQVayGF6Ydls18WqxyBM
 +ViNaj3hM4RtNa/6wqFxwPnNbB7WMiwSk4fHaeZcRXV1RbPR7rc3l5whj455mk7KSTy7
 786YfKSldMV1OPebL+vHGkG3A5x50AiKNv4+hqq9Ei98TBncpopxGp59biHQUT4XwVWe
 YoZotNRn6cQUJdO5nfjzpnnqW+2rXOPuNHvxRWfAs4TbcQ470oHyKBJTS0mNYZW1ABS9
 QGig==
X-Gm-Message-State: APjAAAUd/iZ3Hij2yjEZfhqUBChdvn1ib+xiXe9RebJ7KTeWKctsbXmU
 tPLhGfXRNgHCiZyZ6jWhjFCOAXxK0mTC/hhM4Yx8zg89cQU=
X-Google-Smtp-Source: APXvYqwSumc9BZezj3LurXxgZVTjAEq/Y1CEQG1zvBxeyGLdMCnFYd+3CjnWV2bZyryhVKUBjoOLN6lRtw+lYoMGok4=
X-Received: by 2002:a05:6102:519:: with SMTP id
 l25mr4543444vsa.222.1573159763549; 
 Thu, 07 Nov 2019 12:49:23 -0800 (PST)
MIME-Version: 1.0
From: Phil Staub <phil@staub.us>
Date: Thu, 7 Nov 2019 15:48:47 -0500
Message-ID: <CAMnCm8jmZJ6r8f_byUUMOmPr+3QeH_xB1zCx_SD+Hvc2YF55Vw@mail.gmail.com>
Subject: NAT for use with OpenVPN
To: freebsd-pf@freebsd.org
X-Rspamd-Queue-Id: 478FrP21Q9z4K0Y
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=staub-us.20150623.gappssmtp.com header.s=20150623
 header.b=FR2ejGzh; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of pestaub@gmail.com designates
 2607:f8b0:4864:20::e29 as permitted sender) smtp.mailfrom=pestaub@gmail.com
X-Spamd-Result: default: False [-3.01 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[staub-us.20150623.gappssmtp.com:s=20150623];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c];
 TO_MATCH_ENVRCPT_ALL(0.00)[];
 MIME_GOOD(-0.10)[multipart/alternative,text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org];
 TO_DN_NONE(0.00)[]; URI_COUNT_ODD(1.00)[1];
 RCPT_COUNT_ONE(0.00)[1]; DMARC_NA(0.00)[staub.us];
 DKIM_TRACE(0.00)[staub-us.20150623.gappssmtp.com:+];
 RCVD_IN_DNSWL_NONE(0.00)[9.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org
 : 127.0.5.0]; HTTP_TO_IP(1.00)[];
 IP_SCORE(-2.81)[ip: (-9.63), ipnet: 2607:f8b0::/32(-2.35), asn: 15169(-2.01),
 country: US(-0.05)]; 
 FORGED_SENDER(0.30)[phil@staub.us,pestaub@gmail.com];
 MIME_TRACE(0.00)[0:+,1:+,2:~];
 FREEMAIL_ENVFROM(0.00)[gmail.com];
 ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
 FROM_NEQ_ENVFROM(0.00)[phil@staub.us,pestaub@gmail.com];
 RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2]
Content-Type: text/plain; charset="UTF-8"
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Nov 2019 20:49:26 -0000

I'm attempting to set up OpenVPN on a FreeBSD 12.1-RELEASE box. I'd like
for it to allow remote clients to access the internet via the server box's
connection. It appears that OpenVPN is working, because new connections are
logged, but I also get this message in the log:

Thu Nov  7 15:43:17 2019 us=289157 han/67.175.144.37:61307 MULTI: bad
source address from client [::], packet dropped

And the attached client doesn't have internet access.

SO, I'm assuming I need to set up PF to NAT between tun0 and em0.

I tried looking in the FreeBSD handbook in the chapter on PF, but that's
like drinking from a fire hose, and I'm sure there is much more detail
there than I need to know.

Can someone point me to a concise description of how to achieve this?

Thanks,
Phil