Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 26 Aug 2017 16:12:30 -0400 (EDT)
From:      Fongaboo <freebsd@fongaboo.com>
To:        FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: STUMPED: Setting up OpenVPN server on FreeBSD (self.freebsd)
Message-ID:  <alpine.BSF.2.20.1708261601320.50226@h4lix.wtfayla.net>
In-Reply-To: <CA%2BtpaK3yo1GYBc%2B62=%2BNoRuEFPgoZjaPEdW7KgxqX_hiQ6npZw@mail.gmail.com>
References:  <alpine.BSF.2.20.1708260858410.50226@h4lix.wtfayla.net> <CA%2BtpaK3yo1GYBc%2B62=%2BNoRuEFPgoZjaPEdW7KgxqX_hiQ6npZw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

I switched from IPFW to PF to try the config described here:

https://forums.freebsd.org/threads/59223/#post-339781


/var/log/pflog is a tcpdump file. If I run tcpdump -r /var/log/pflog, I get:

tcpdump -r /var/log/pflog

reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
18:06:01.613027 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:06:03.971339 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:06:08.675294 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:06:17.278446 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:06:33.344992 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:12:02.691919 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:12:05.261983 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:12:08.931149 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:12:17.402740 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:12:32.635587 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:22:20.921185 IP ip-aws-private-ip.ec2.internal.smtp > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: Flags [F.], seq 4035284244, ack 1027120871, win 65535, length 0
18:23:24.940182 IP ip-aws-private-ip.ec2.internal.smtp > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: Flags [F.], seq 0, ack 1, win 65535, length 0
18:24:28.983673 IP ip-aws-private-ip.ec2.internal.smtp > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: Flags [F.], seq 0, ack 1, win 65535, length 0
18:25:33.030676 IP ip-aws-private-ip.ec2.internal.smtp > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: Flags [F.], seq 0, ack 1, win 65535, length 0
18:26:37.046672 IP ip-aws-private-ip.ec2.internal.smtp > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: Flags [F.], seq 0, ack 1, win 65535, length 0
18:27:41.086657 IP ip-aws-private-ip.ec2.internal.smtp > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: Flags [F.], seq 0, ack 1, win 65535, length 0
18:28:45.098661 IP ip-aws-private-ip.ec2.internal.smtp > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: Flags [F.], seq 0, ack 1, win 65535, length 0
18:29:49.131903 IP ip-aws-private-ip.ec2.internal.smtp > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: Flags [F.], seq 0, ack 1, win 65535, length 0
18:30:53.149655 IP ip-aws-private-ip.ec2.internal.smtp > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: Flags [R.], seq 1, ack 1, win 65535, length 0
18:33:50.511601 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2[|icmp6], length 28
18:33:50.723636 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2[|icmp6], length 28
18:33:51.148137 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2[|icmp6], length 48
18:33:53.262119 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2[|icmp6], length 48
18:54:37.515017 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:54:39.561270 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:54:43.638084 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:54:52.017993 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:55:08.264719 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:55:42.101742 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:55:44.380150 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:55:47.824354 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:55:56.645017 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:56:11.651346 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
19:03:15.099495 IP ip-aws-private-ip.ec2.internal.smtp > 190.67.161.242.61885: Flags [F.], seq 1970151435, ack 1289455849, win 1041, length 0
19:04:19.102813 IP ip-aws-private-ip.ec2.internal.smtp > 190.67.161.242.61885: Flags [F.], seq 0, ack 1, win 1041, length 0
19:05:23.117498 IP ip-aws-private-ip.ec2.internal.smtp > 190.67.161.242.61885: Flags [F.], seq 0, ack 1, win 1041, length 0


Running tcpdump then connecting client:

tcpdump | grep openvpn

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on xn0, link-type EN10MB (Ethernet), capture size 65535 bytes
20:04:17.710245 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 509
20:04:18.553458 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101
20:04:18.553557 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 53
20:04:18.618648 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 109
20:04:18.675979 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93
20:04:18.681394 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 109
20:04:18.761257 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93
20:04:18.809412 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101
20:04:19.175102 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101
20:04:19.409976 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93
20:04:19.409994 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93
20:04:19.410001 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93
20:04:19.410081 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93
20:04:19.410084 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101
20:04:19.410085 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101
20:04:19.410106 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101
20:04:19.802659 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 85
20:04:22.129320 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
20:04:22.129470 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 26
20:04:22.177060 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22
20:04:22.182265 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 203
20:04:22.189218 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 126
20:04:22.189240 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
20:04:22.189249 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
20:04:22.189276 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
20:04:22.233404 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22
20:04:22.233419 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22
20:04:22.233603 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
20:04:22.237922 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22
20:04:22.237927 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22
20:04:22.237964 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
20:04:22.237977 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
20:04:22.237987 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
20:04:22.271936 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22
20:04:22.272042 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
20:04:22.276420 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22


On Sat, 26 Aug 2017, Adam Vande More wrote:

> On Sat, Aug 26, 2017 at 8:03 AM, Fongaboo <freebsd@fongaboo.com> wrote:
>
>>
>> I'm following this tutorial:
>>
>> https://www.digitalocean.com/community/tutorials/how-to-conf
>> igure-and-connect-to-a-private-openvpn-server-on-freebsd-10-1
>>
>> Trying this on an AWS instance first and then planning to try on a bare
>> metal colo server.
>>
>> OpenVPN client and daemon seem to be working, in terms of handshaking and
>> connecting with each other. Problem is, no matter what I do, connected
>> clients can't get out to the Internet through the server's gateway
>> interface.
>>
>> I've tried setting up NATD, like the tutorial instructs. I've tried
>> enabling ipfw_nat as described in this comment:
>>
>> https://www.digitalocean.com/community/tutorials/how-to-conf
>> igure-and-connect-to-a-private-openvpn-server-on-freebsd-10-
>> 1?comment=40498
>>
>> rc.conf (for NATD):
>>
>> #enable firewall
>> firewall_enable="YES"
>> firewall_script="/usr/local/etc/ipfw.rules"
>> firewall_type="open"
>>
>> gateway_enable="YES"
>> natd_enable="YES"
>> natd_interface="xn0"
>> natd_flags="-dynamic -m"
>>
>> rc.conf (revised for ipfw_nat):
>>
>> #enable firewall
>> firewall_enable="YES"
>> firewall_script="/usr/local/etc/ipfw.rules"
>> firewall_type="open"
>> firewall_nat_enable="YES"
>> firewall_nat_interface="xn0"
>>
>> gateway_enable="YES"
>> #natd_enable="YES"
>> #natd_interface="xn0"
>> #natd_flags="-dynamic -m"
>>
>> *xn0 = external interface of the server
>>
>> Neither config allows Internet access. I have this line enabled in
>> /usr/local/etc/openvpn/openvpn.conf:
>>
>> push "redirect-gateway def1 bypass-dhcp"
>>
>> Perhaps this is part of the solution?:
>>
>> # Configure server mode for ethernet bridging
>> # using a DHCP-proxy, where clients talk
>> # to the OpenVPN server-side DHCP server
>> # to receive their IP address allocation
>> # and DNS server addresses.  You must first use
>> # your OS's bridging capability to bridge the TAP
>> # interface with the ethernet NIC interface.
>> # Note: this mode only works on clients (such as
>> # Windows), where the client-side TAP adapter is
>> # bound to a DHCP client.
>> ;server-bridge
>>
>> Any advice would be appreciated. I'm willing to try any combination of
>> ipfw vs. pf or natd vs. ipfw_nat or whatever if it will allow clients to
>> see the WAN. TIA!
>>
>
> tcpdump and ipfw logs.
>
> -- 
> Adam
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.20.1708261601320.50226>