Date: Sat, 26 Aug 2017 11:44:45 -0300 From: Duane Whitty <duane@nofroth.com> To: freebsd-questions@freebsd.org Cc: duane@nofroth.com Subject: Re: STUMPED: Setting up OpenVPN server on FreeBSD (self.freebsd) Message-ID: <ab1a8d98-0441-a4cf-8f9e-73412fa771bd@nofroth.com> In-Reply-To: <alpine.BSF.2.20.1708260858410.50226@h4lix.wtfayla.net> References: <alpine.BSF.2.20.1708260858410.50226@h4lix.wtfayla.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 17-08-26 10:03 AM, Fongaboo wrote: > > I'm following this tutorial: > > https://www.digitalocean.com/community/tutorials/how-to-configure-and-connect-to-a-private-openvpn-server-on-freebsd-10-1 > > > Trying this on an AWS instance first and then planning to try on a bare > metal colo server. > > OpenVPN client and daemon seem to be working, in terms of handshaking > and connecting with each other. Problem is, no matter what I do, > connected clients can't get out to the Internet through the server's > gateway interface. > > I've tried setting up NATD, like the tutorial instructs. I've tried > enabling ipfw_nat as described in this comment: > > https://www.digitalocean.com/community/tutorials/how-to-configure-and-connect-to-a-private-openvpn-server-on-freebsd-10-1?comment=40498 > > > rc.conf (for NATD): > > #enable firewall > firewall_enable="YES" > firewall_script="/usr/local/etc/ipfw.rules" > firewall_type="open" > > gateway_enable="YES" > natd_enable="YES" > natd_interface="xn0" > natd_flags="-dynamic -m" > > rc.conf (revised for ipfw_nat): > > #enable firewall > firewall_enable="YES" > firewall_script="/usr/local/etc/ipfw.rules" > firewall_type="open" > firewall_nat_enable="YES" > firewall_nat_interface="xn0" > > gateway_enable="YES" > #natd_enable="YES" > #natd_interface="xn0" > #natd_flags="-dynamic -m" > > *xn0 = external interface of the server > > Neither config allows Internet access. I have this line enabled in > /usr/local/etc/openvpn/openvpn.conf: > > push "redirect-gateway def1 bypass-dhcp" > > Perhaps this is part of the solution?: > > # Configure server mode for ethernet bridging > # using a DHCP-proxy, where clients talk > # to the OpenVPN server-side DHCP server > # to receive their IP address allocation > # and DNS server addresses. You must first use > # your OS's bridging capability to bridge the TAP > # interface with the ethernet NIC interface. > # Note: this mode only works on clients (such as > # Windows), where the client-side TAP adapter is > # bound to a DHCP client. > ;server-bridge > > Any advice would be appreciated. I'm willing to try any combination of > ipfw vs. pf or natd vs. ipfw_nat or whatever if it will allow clients to > see the WAN. TIA! > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" I would try this on bare metal first. It will be much simpler. Once you have a VPN server you know works on bare metal then you can concentrate on making sure you have the correct setup on your AWS instance. Get as many layers as possible out of the way for your first try. I would personally try this on a private LAN first with no firewalls or proxies or anything else in the way. Get the server configured and have one client, also on the same private LAN, connect to it successfully. Taking this approach, let's say you have problems getting the one client to successfully connect to the VPN, people from this list may be able to help you to determine if it's your FreeBSD config or your OpenVPN config. Best Regards, Duane -- Duane Whitty duane@nofroth.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ab1a8d98-0441-a4cf-8f9e-73412fa771bd>