From owner-freebsd-questions@freebsd.org Sat Aug 26 13:10:33 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 267D3DF6363 for ; Sat, 26 Aug 2017 13:10:33 +0000 (UTC) (envelope-from freebsd@fongaboo.com) Received: from h4lix.wtfayla.net (helix.wtfayla.net [64.246.134.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id ED8066B7E2 for ; Sat, 26 Aug 2017 13:10:31 +0000 (UTC) (envelope-from freebsd@fongaboo.com) Received: from localhost (localhost [127.0.0.1]) by h4lix.wtfayla.net (Postfix) with ESMTP id F247C7CE15B for ; Sat, 26 Aug 2017 09:03:07 -0400 (EDT) Received: from h4lix.wtfayla.net ([127.0.0.1]) by localhost (h4lix.wtfayla.net [127.0.0.1]) (maiad, port 10024) with ESMTP id 85360-09 for ; Sat, 26 Aug 2017 09:03:07 -0400 (EDT) Received: from h4lix.wtfayla.net (h4lix.wtfayla.net [64.246.134.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by h4lix.wtfayla.net (Postfix) with ESMTPS id 76CA07CE159 for ; Sat, 26 Aug 2017 09:03:07 -0400 (EDT) Date: Sat, 26 Aug 2017 09:03:07 -0400 (EDT) From: Fongaboo X-X-Sender: fongaboo@h4lix.wtfayla.net To: freebsd-questions@freebsd.org Subject: STUMPED: Setting up OpenVPN server on FreeBSD (self.freebsd) Message-ID: User-Agent: Alpine 2.20 (BSF 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Aug 2017 13:10:33 -0000 I'm following this tutorial: https://www.digitalocean.com/community/tutorials/how-to-configure-and-connect-to-a-private-openvpn-server-on-freebsd-10-1 Trying this on an AWS instance first and then planning to try on a bare metal colo server. OpenVPN client and daemon seem to be working, in terms of handshaking and connecting with each other. Problem is, no matter what I do, connected clients can't get out to the Internet through the server's gateway interface. I've tried setting up NATD, like the tutorial instructs. I've tried enabling ipfw_nat as described in this comment: https://www.digitalocean.com/community/tutorials/how-to-configure-and-connect-to-a-private-openvpn-server-on-freebsd-10-1?comment=40498 rc.conf (for NATD): #enable firewall firewall_enable="YES" firewall_script="/usr/local/etc/ipfw.rules" firewall_type="open" gateway_enable="YES" natd_enable="YES" natd_interface="xn0" natd_flags="-dynamic -m" rc.conf (revised for ipfw_nat): #enable firewall firewall_enable="YES" firewall_script="/usr/local/etc/ipfw.rules" firewall_type="open" firewall_nat_enable="YES" firewall_nat_interface="xn0" gateway_enable="YES" #natd_enable="YES" #natd_interface="xn0" #natd_flags="-dynamic -m" *xn0 = external interface of the server Neither config allows Internet access. I have this line enabled in /usr/local/etc/openvpn/openvpn.conf: push "redirect-gateway def1 bypass-dhcp" Perhaps this is part of the solution?: # Configure server mode for ethernet bridging # using a DHCP-proxy, where clients talk # to the OpenVPN server-side DHCP server # to receive their IP address allocation # and DNS server addresses. You must first use # your OS's bridging capability to bridge the TAP # interface with the ethernet NIC interface. # Note: this mode only works on clients (such as # Windows), where the client-side TAP adapter is # bound to a DHCP client. ;server-bridge Any advice would be appreciated. I'm willing to try any combination of ipfw vs. pf or natd vs. ipfw_nat or whatever if it will allow clients to see the WAN. TIA!