From owner-freebsd-questions@freebsd.org Sat Aug 26 14:44:52 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 720BBDF7AB3 for ; Sat, 26 Aug 2017 14:44:52 +0000 (UTC) (envelope-from duane@nofroth.com) Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3C9C56DCF6 for ; Sat, 26 Aug 2017 14:44:52 +0000 (UTC) (envelope-from duane@nofroth.com) Received: by mail-io0-x233.google.com with SMTP id g33so5246843ioj.3 for ; Sat, 26 Aug 2017 07:44:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nofroth.com; s=google; h=cc:subject:to:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=/R+FU8iO78MKEYRcafAdi2QoixiMjHq4zaA5JopsrLs=; b=OufT99Hsc6Zxgf1PIvd3W1hKR6qvE70EE5GVa3CQlcch5wzfazqIhTGfsu5O0dP8Dm BLXVn3zWUdBgX0qCp9w3VHZoV7tqwNjYG4t1BZsLwCg4ZqU/3wOze2L9R9/rQaddn6nP t+D/M6Mp2P/EcJP8Fivbgob/NaBAfSbHtpbwJrIpEZoDWgAIG+pjW+uY1dq02hwQVJmi mBq7V+gVDALgKjdg4dbER7IZjEKkHwoQUAEzkk5oseMdX3ryry9OAW6lGLj/h0KrN1LL lq9688993TFl/Ue/+4Jy6ZIXhJwNzEmPgToMtcjneDymWKJ6L+megg/HPZl0XeGDRVja +DIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:cc:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=/R+FU8iO78MKEYRcafAdi2QoixiMjHq4zaA5JopsrLs=; b=WhfGVPS/XgOFz6CJLYRc31oeaTEosqyxl0d+cyCh3QceZCQMnX0okp2ib1XVGk0Yvk omilwIBYBNrjo9r1e0JcX2JkUGX0YBb0Q74YxCRSRT/Nla5JGAav5eWm8RQL0eAgGLtu J63cCJZGc/dwMfAanw6Fn/EOYv4aF09jASEkjQxJbx2t5tJHCkX8yGR5oS0A6MRcCPOy PGGokI6h6u9LLn64Ce/ncP0g/kRuD6IputoLIRMPMZXhkRKz5c88AgLZp4Z0hQLSrfF3 GxNCJHmptoalrk2c9RS7I5U0oFN6SZO6aq7WlLzV+AX0hey7WXys/QNXamQ0ySIFKiCi JTDQ== X-Gm-Message-State: AHYfb5iS9qSYZtxV7eMo72hfYPVf67ZB/U+DyRQyzQ5pJ0riCjCvEo0U vDEWP9tL79heuEaUQC6bqQ== X-Received: by 10.107.12.160 with SMTP id 32mr1350196iom.207.1503758691385; Sat, 26 Aug 2017 07:44:51 -0700 (PDT) Received: from [10.8.8.76] ([184.75.212.77]) by smtp.gmail.com with ESMTPSA id y1sm1871226itd.8.2017.08.26.07.44.50 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 26 Aug 2017 07:44:50 -0700 (PDT) Cc: duane@nofroth.com Subject: Re: STUMPED: Setting up OpenVPN server on FreeBSD (self.freebsd) To: freebsd-questions@freebsd.org References: From: Duane Whitty Message-ID: Date: Sat, 26 Aug 2017 11:44:45 -0300 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Aug 2017 14:44:52 -0000 On 17-08-26 10:03 AM, Fongaboo wrote: > > I'm following this tutorial: > > https://www.digitalocean.com/community/tutorials/how-to-configure-and-connect-to-a-private-openvpn-server-on-freebsd-10-1 > > > Trying this on an AWS instance first and then planning to try on a bare > metal colo server. > > OpenVPN client and daemon seem to be working, in terms of handshaking > and connecting with each other. Problem is, no matter what I do, > connected clients can't get out to the Internet through the server's > gateway interface. > > I've tried setting up NATD, like the tutorial instructs. I've tried > enabling ipfw_nat as described in this comment: > > https://www.digitalocean.com/community/tutorials/how-to-configure-and-connect-to-a-private-openvpn-server-on-freebsd-10-1?comment=40498 > > > rc.conf (for NATD): > > #enable firewall > firewall_enable="YES" > firewall_script="/usr/local/etc/ipfw.rules" > firewall_type="open" > > gateway_enable="YES" > natd_enable="YES" > natd_interface="xn0" > natd_flags="-dynamic -m" > > rc.conf (revised for ipfw_nat): > > #enable firewall > firewall_enable="YES" > firewall_script="/usr/local/etc/ipfw.rules" > firewall_type="open" > firewall_nat_enable="YES" > firewall_nat_interface="xn0" > > gateway_enable="YES" > #natd_enable="YES" > #natd_interface="xn0" > #natd_flags="-dynamic -m" > > *xn0 = external interface of the server > > Neither config allows Internet access. I have this line enabled in > /usr/local/etc/openvpn/openvpn.conf: > > push "redirect-gateway def1 bypass-dhcp" > > Perhaps this is part of the solution?: > > # Configure server mode for ethernet bridging > # using a DHCP-proxy, where clients talk > # to the OpenVPN server-side DHCP server > # to receive their IP address allocation > # and DNS server addresses. You must first use > # your OS's bridging capability to bridge the TAP > # interface with the ethernet NIC interface. > # Note: this mode only works on clients (such as > # Windows), where the client-side TAP adapter is > # bound to a DHCP client. > ;server-bridge > > Any advice would be appreciated. I'm willing to try any combination of > ipfw vs. pf or natd vs. ipfw_nat or whatever if it will allow clients to > see the WAN. TIA! > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" I would try this on bare metal first. It will be much simpler. Once you have a VPN server you know works on bare metal then you can concentrate on making sure you have the correct setup on your AWS instance. Get as many layers as possible out of the way for your first try. I would personally try this on a private LAN first with no firewalls or proxies or anything else in the way. Get the server configured and have one client, also on the same private LAN, connect to it successfully. Taking this approach, let's say you have problems getting the one client to successfully connect to the VPN, people from this list may be able to help you to determine if it's your FreeBSD config or your OpenVPN config. Best Regards, Duane -- Duane Whitty duane@nofroth.com