Date: Sun, 27 Aug 2017 20:39:33 -0400 (EDT) From: Fongaboo <freebsd@fongaboo.com> To: freebsd-questions@freebsd.org Subject: Re: STUMPED: Setting up OpenVPN server on FreeBSD (self.freebsd) Message-ID: <alpine.BSF.2.20.1708272024330.50226@h4lix.wtfayla.net> In-Reply-To: <20170827164229.W23641@sola.nimnet.asn.au> References: <mailman.1203.1503788746.74519.freebsd-questions@freebsd.org> <20170827164229.W23641@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 27 Aug 2017, Ian Smith wrote: > I know next to nothing about OpenVPN - though the digitalocean tutorial > looks pretty thorough on the surface - and absolutely nothing about AWS, > but do know a bit about ipfw and friends. Yeah I figured this was more a pure Firewall and routing issue contextual to FreeBSD than anything OpenVPN-specific. > Your changing of the default firewall_script from /etc/rc.firewall to > "/usr/local/etc/ipfw.rules" suggests that you've been unfortunately > illadvised by the still-dreadful IPFW section in the handbook, written > by someone who uses ipfilter. Rely on /etc/rc.firewall and ipfw(8) for > accurate information on using ipfw. I'm not sure what you mean by 'Rely on /etc/rc.firewall and ipfw(8)". Are these files in FreeBSD to refer to? Or are you talking about the respective handbook entries for these things? > I note that the digitalocean tute did not make that mistake, though it > would be more up-to-date to use firewall_nat_enable rather than natd(8), > however natd works as well as ever, if a bit more slowly (extra process) > > So .. firewall_type="open" is a parameter to whatever firewall_script. > /etc/rc.firewall uses that to generate an open firewall, i.e. inserting > 'pass all from any to any', overriding the default 'deny all from any > to any'. You didn't show your ipfw.rules, but I doubt it parses 'open' > as a parameter - so it would not be surprising if you were locked out. So when I eliminate 'firewall_script="/usr/local/etc/ipfw.rules"' what is IPFW using for its rules? > > gateway_enable="YES" > > natd_enable="YES" > > natd_interface="xn0" > > natd_flags="-dynamic -m" > > > > rc.conf (revised for ipfw_nat): > > > > #enable firewall > > firewall_enable="YES" > > firewall_script="/usr/local/etc/ipfw.rules" > > firewall_type="open" > > Same problem here. Comment out that firewall_script line to get the > default, as shown in /etc/defaults/rc.conf > > > firewall_nat_enable="YES" > > firewall_nat_interface="xn0" > > > > gateway_enable="YES" > > You'll likely need some firewall_nat_flags as well. See rc.firewall for > NAT setup (natd or firewall_nat) with 'open' or 'client' rulesets. > > > #natd_enable="YES" > > #natd_interface="xn0" > > #natd_flags="-dynamic -m" > > > > *xn0 = external interface of the server > > > > Neither config allows Internet access. > > Try it with the default firewall_script, for a proper open firewall, > that you can condition to suit once your VPN stuff is all working. So in short, you think 'firewall_nat_enable' and a combination of some firewall_nat_flags will accomplish the gateway redirection to the WAN? Just want to make sure I'm following correctly. > pf is fine too of course, properly configured, but I hate seeing people > quit using ipfw because of some truly bad advice from >10 years ago :( > > As for this thread in general, it'd be really nice if people would not > re-re-quote long messages including tcpdumps to add one-line comments, > whether top- or bottom-posted - this digest was five times normal size. > > cheers, Ian > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.20.1708272024330.50226>