From owner-freebsd-questions@freebsd.org Sat Aug 26 20:12:34 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6FB29DDA117 for ; Sat, 26 Aug 2017 20:12:34 +0000 (UTC) (envelope-from freebsd@fongaboo.com) Received: from h4lix.wtfayla.net (helix.wtfayla.net [64.246.134.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 493B07C183 for ; Sat, 26 Aug 2017 20:12:33 +0000 (UTC) (envelope-from freebsd@fongaboo.com) Received: from localhost (localhost [127.0.0.1]) by h4lix.wtfayla.net (Postfix) with ESMTP id 327367C847B for ; Sat, 26 Aug 2017 16:12:31 -0400 (EDT) Received: from h4lix.wtfayla.net ([127.0.0.1]) by localhost (h4lix.wtfayla.net [127.0.0.1]) (maiad, port 10024) with ESMTP id 94505-09 for ; Sat, 26 Aug 2017 16:12:30 -0400 (EDT) Received: from h4lix.wtfayla.net (h4lix.wtfayla.net [64.246.134.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by h4lix.wtfayla.net (Postfix) with ESMTPS id 8796A7C8478 for ; Sat, 26 Aug 2017 16:12:30 -0400 (EDT) Date: Sat, 26 Aug 2017 16:12:30 -0400 (EDT) From: Fongaboo X-X-Sender: fongaboo@h4lix.wtfayla.net To: FreeBSD Questions Subject: Re: STUMPED: Setting up OpenVPN server on FreeBSD (self.freebsd) In-Reply-To: Message-ID: References: User-Agent: Alpine 2.20 (BSF 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Aug 2017 20:12:34 -0000 I switched from IPFW to PF to try the config described here: https://forums.freebsd.org/threads/59223/#post-339781 /var/log/pflog is a tcpdump file. If I run tcpdump -r /var/log/pflog, I get: tcpdump -r /var/log/pflog reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) 18:06:01.613027 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 18:06:03.971339 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 18:06:08.675294 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 18:06:17.278446 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 18:06:33.344992 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 18:12:02.691919 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 18:12:05.261983 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 18:12:08.931149 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 18:12:17.402740 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 18:12:32.635587 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 18:22:20.921185 IP ip-aws-private-ip.ec2.internal.smtp > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: Flags [F.], seq 4035284244, ack 1027120871, win 65535, length 0 18:23:24.940182 IP ip-aws-private-ip.ec2.internal.smtp > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: Flags [F.], seq 0, ack 1, win 65535, length 0 18:24:28.983673 IP ip-aws-private-ip.ec2.internal.smtp > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: Flags [F.], seq 0, ack 1, win 65535, length 0 18:25:33.030676 IP ip-aws-private-ip.ec2.internal.smtp > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: Flags [F.], seq 0, ack 1, win 65535, length 0 18:26:37.046672 IP ip-aws-private-ip.ec2.internal.smtp > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: Flags [F.], seq 0, ack 1, win 65535, length 0 18:27:41.086657 IP ip-aws-private-ip.ec2.internal.smtp > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: Flags [F.], seq 0, ack 1, win 65535, length 0 18:28:45.098661 IP ip-aws-private-ip.ec2.internal.smtp > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: Flags [F.], seq 0, ack 1, win 65535, length 0 18:29:49.131903 IP ip-aws-private-ip.ec2.internal.smtp > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: Flags [F.], seq 0, ack 1, win 65535, length 0 18:30:53.149655 IP ip-aws-private-ip.ec2.internal.smtp > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: Flags [R.], seq 1, ack 1, win 65535, length 0 18:33:50.511601 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2[|icmp6], length 28 18:33:50.723636 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2[|icmp6], length 28 18:33:51.148137 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2[|icmp6], length 48 18:33:53.262119 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2[|icmp6], length 48 18:54:37.515017 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 18:54:39.561270 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 18:54:43.638084 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 18:54:52.017993 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 18:55:08.264719 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 18:55:42.101742 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 18:55:44.380150 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 18:55:47.824354 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 18:55:56.645017 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 18:56:11.651346 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 19:03:15.099495 IP ip-aws-private-ip.ec2.internal.smtp > 190.67.161.242.61885: Flags [F.], seq 1970151435, ack 1289455849, win 1041, length 0 19:04:19.102813 IP ip-aws-private-ip.ec2.internal.smtp > 190.67.161.242.61885: Flags [F.], seq 0, ack 1, win 1041, length 0 19:05:23.117498 IP ip-aws-private-ip.ec2.internal.smtp > 190.67.161.242.61885: Flags [F.], seq 0, ack 1, win 1041, length 0 Running tcpdump then connecting client: tcpdump | grep openvpn tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on xn0, link-type EN10MB (Ethernet), capture size 65535 bytes 20:04:17.710245 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 509 20:04:18.553458 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101 20:04:18.553557 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 53 20:04:18.618648 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 109 20:04:18.675979 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93 20:04:18.681394 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 109 20:04:18.761257 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93 20:04:18.809412 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101 20:04:19.175102 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101 20:04:19.409976 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93 20:04:19.409994 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93 20:04:19.410001 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93 20:04:19.410081 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93 20:04:19.410084 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101 20:04:19.410085 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101 20:04:19.410106 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101 20:04:19.802659 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 85 20:04:22.129320 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 20:04:22.129470 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 26 20:04:22.177060 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22 20:04:22.182265 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 203 20:04:22.189218 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 126 20:04:22.189240 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 20:04:22.189249 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 20:04:22.189276 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 20:04:22.233404 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22 20:04:22.233419 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22 20:04:22.233603 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 20:04:22.237922 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22 20:04:22.237927 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22 20:04:22.237964 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 20:04:22.237977 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 20:04:22.237987 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 20:04:22.271936 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22 20:04:22.272042 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 20:04:22.276420 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22 On Sat, 26 Aug 2017, Adam Vande More wrote: > On Sat, Aug 26, 2017 at 8:03 AM, Fongaboo wrote: > >> >> I'm following this tutorial: >> >> https://www.digitalocean.com/community/tutorials/how-to-conf >> igure-and-connect-to-a-private-openvpn-server-on-freebsd-10-1 >> >> Trying this on an AWS instance first and then planning to try on a bare >> metal colo server. >> >> OpenVPN client and daemon seem to be working, in terms of handshaking and >> connecting with each other. Problem is, no matter what I do, connected >> clients can't get out to the Internet through the server's gateway >> interface. >> >> I've tried setting up NATD, like the tutorial instructs. I've tried >> enabling ipfw_nat as described in this comment: >> >> https://www.digitalocean.com/community/tutorials/how-to-conf >> igure-and-connect-to-a-private-openvpn-server-on-freebsd-10- >> 1?comment=40498 >> >> rc.conf (for NATD): >> >> #enable firewall >> firewall_enable="YES" >> firewall_script="/usr/local/etc/ipfw.rules" >> firewall_type="open" >> >> gateway_enable="YES" >> natd_enable="YES" >> natd_interface="xn0" >> natd_flags="-dynamic -m" >> >> rc.conf (revised for ipfw_nat): >> >> #enable firewall >> firewall_enable="YES" >> firewall_script="/usr/local/etc/ipfw.rules" >> firewall_type="open" >> firewall_nat_enable="YES" >> firewall_nat_interface="xn0" >> >> gateway_enable="YES" >> #natd_enable="YES" >> #natd_interface="xn0" >> #natd_flags="-dynamic -m" >> >> *xn0 = external interface of the server >> >> Neither config allows Internet access. I have this line enabled in >> /usr/local/etc/openvpn/openvpn.conf: >> >> push "redirect-gateway def1 bypass-dhcp" >> >> Perhaps this is part of the solution?: >> >> # Configure server mode for ethernet bridging >> # using a DHCP-proxy, where clients talk >> # to the OpenVPN server-side DHCP server >> # to receive their IP address allocation >> # and DNS server addresses. You must first use >> # your OS's bridging capability to bridge the TAP >> # interface with the ethernet NIC interface. >> # Note: this mode only works on clients (such as >> # Windows), where the client-side TAP adapter is >> # bound to a DHCP client. >> ;server-bridge >> >> Any advice would be appreciated. I'm willing to try any combination of >> ipfw vs. pf or natd vs. ipfw_nat or whatever if it will allow clients to >> see the WAN. TIA! >> > > tcpdump and ipfw logs. > > -- > Adam > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >