Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 26 Aug 2017 11:13:40 -0500
From:      Adam Vande More <amvandemore@gmail.com>
To:        Fongaboo <freebsd@fongaboo.com>
Cc:        FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: STUMPED: Setting up OpenVPN server on FreeBSD (self.freebsd)
Message-ID:  <CA%2BtpaK3yo1GYBc%2B62=%2BNoRuEFPgoZjaPEdW7KgxqX_hiQ6npZw@mail.gmail.com>
In-Reply-To: <alpine.BSF.2.20.1708260858410.50226@h4lix.wtfayla.net>
References:  <alpine.BSF.2.20.1708260858410.50226@h4lix.wtfayla.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Aug 26, 2017 at 8:03 AM, Fongaboo <freebsd@fongaboo.com> wrote:

>
> I'm following this tutorial:
>
> https://www.digitalocean.com/community/tutorials/how-to-conf
> igure-and-connect-to-a-private-openvpn-server-on-freebsd-10-1
>
> Trying this on an AWS instance first and then planning to try on a bare
> metal colo server.
>
> OpenVPN client and daemon seem to be working, in terms of handshaking and
> connecting with each other. Problem is, no matter what I do, connected
> clients can't get out to the Internet through the server's gateway
> interface.
>
> I've tried setting up NATD, like the tutorial instructs. I've tried
> enabling ipfw_nat as described in this comment:
>
> https://www.digitalocean.com/community/tutorials/how-to-conf
> igure-and-connect-to-a-private-openvpn-server-on-freebsd-10-
> 1?comment=40498
>
> rc.conf (for NATD):
>
> #enable firewall
> firewall_enable="YES"
> firewall_script="/usr/local/etc/ipfw.rules"
> firewall_type="open"
>
> gateway_enable="YES"
> natd_enable="YES"
> natd_interface="xn0"
> natd_flags="-dynamic -m"
>
> rc.conf (revised for ipfw_nat):
>
> #enable firewall
> firewall_enable="YES"
> firewall_script="/usr/local/etc/ipfw.rules"
> firewall_type="open"
> firewall_nat_enable="YES"
> firewall_nat_interface="xn0"
>
> gateway_enable="YES"
> #natd_enable="YES"
> #natd_interface="xn0"
> #natd_flags="-dynamic -m"
>
> *xn0 = external interface of the server
>
> Neither config allows Internet access. I have this line enabled in
> /usr/local/etc/openvpn/openvpn.conf:
>
> push "redirect-gateway def1 bypass-dhcp"
>
> Perhaps this is part of the solution?:
>
> # Configure server mode for ethernet bridging
> # using a DHCP-proxy, where clients talk
> # to the OpenVPN server-side DHCP server
> # to receive their IP address allocation
> # and DNS server addresses.  You must first use
> # your OS's bridging capability to bridge the TAP
> # interface with the ethernet NIC interface.
> # Note: this mode only works on clients (such as
> # Windows), where the client-side TAP adapter is
> # bound to a DHCP client.
> ;server-bridge
>
> Any advice would be appreciated. I'm willing to try any combination of
> ipfw vs. pf or natd vs. ipfw_nat or whatever if it will allow clients to
> see the WAN. TIA!
>

tcpdump and ipfw logs.

-- 
Adam



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2BtpaK3yo1GYBc%2B62=%2BNoRuEFPgoZjaPEdW7KgxqX_hiQ6npZw>