From owner-freebsd-questions@freebsd.org Mon Aug 28 00:39:38 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A78A8E020FD for ; Mon, 28 Aug 2017 00:39:38 +0000 (UTC) (envelope-from freebsd@fongaboo.com) Received: from h4lix.wtfayla.net (helix.wtfayla.net [64.246.134.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8118B3A16 for ; Mon, 28 Aug 2017 00:39:35 +0000 (UTC) (envelope-from freebsd@fongaboo.com) Received: from localhost (localhost [127.0.0.1]) by h4lix.wtfayla.net (Postfix) with ESMTP id 02FC181111D for ; Sun, 27 Aug 2017 20:39:34 -0400 (EDT) Received: from h4lix.wtfayla.net ([127.0.0.1]) by localhost (h4lix.wtfayla.net [127.0.0.1]) (maiad, port 10024) with ESMTP id 49365-02 for ; Sun, 27 Aug 2017 20:39:33 -0400 (EDT) Received: from h4lix.wtfayla.net (h4lix.wtfayla.net [64.246.134.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by h4lix.wtfayla.net (Postfix) with ESMTPS id 6C5E681111B for ; Sun, 27 Aug 2017 20:39:33 -0400 (EDT) Date: Sun, 27 Aug 2017 20:39:33 -0400 (EDT) From: Fongaboo X-X-Sender: fongaboo@h4lix.wtfayla.net To: freebsd-questions@freebsd.org Subject: Re: STUMPED: Setting up OpenVPN server on FreeBSD (self.freebsd) In-Reply-To: <20170827164229.W23641@sola.nimnet.asn.au> Message-ID: References: <20170827164229.W23641@sola.nimnet.asn.au> User-Agent: Alpine 2.20 (BSF 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Aug 2017 00:39:38 -0000 On Sun, 27 Aug 2017, Ian Smith wrote: > I know next to nothing about OpenVPN - though the digitalocean tutorial > looks pretty thorough on the surface - and absolutely nothing about AWS, > but do know a bit about ipfw and friends. Yeah I figured this was more a pure Firewall and routing issue contextual to FreeBSD than anything OpenVPN-specific. > Your changing of the default firewall_script from /etc/rc.firewall to > "/usr/local/etc/ipfw.rules" suggests that you've been unfortunately > illadvised by the still-dreadful IPFW section in the handbook, written > by someone who uses ipfilter. Rely on /etc/rc.firewall and ipfw(8) for > accurate information on using ipfw. I'm not sure what you mean by 'Rely on /etc/rc.firewall and ipfw(8)". Are these files in FreeBSD to refer to? Or are you talking about the respective handbook entries for these things? > I note that the digitalocean tute did not make that mistake, though it > would be more up-to-date to use firewall_nat_enable rather than natd(8), > however natd works as well as ever, if a bit more slowly (extra process) > > So .. firewall_type="open" is a parameter to whatever firewall_script. > /etc/rc.firewall uses that to generate an open firewall, i.e. inserting > 'pass all from any to any', overriding the default 'deny all from any > to any'. You didn't show your ipfw.rules, but I doubt it parses 'open' > as a parameter - so it would not be surprising if you were locked out. So when I eliminate 'firewall_script="/usr/local/etc/ipfw.rules"' what is IPFW using for its rules? > > gateway_enable="YES" > > natd_enable="YES" > > natd_interface="xn0" > > natd_flags="-dynamic -m" > > > > rc.conf (revised for ipfw_nat): > > > > #enable firewall > > firewall_enable="YES" > > firewall_script="/usr/local/etc/ipfw.rules" > > firewall_type="open" > > Same problem here. Comment out that firewall_script line to get the > default, as shown in /etc/defaults/rc.conf > > > firewall_nat_enable="YES" > > firewall_nat_interface="xn0" > > > > gateway_enable="YES" > > You'll likely need some firewall_nat_flags as well. See rc.firewall for > NAT setup (natd or firewall_nat) with 'open' or 'client' rulesets. > > > #natd_enable="YES" > > #natd_interface="xn0" > > #natd_flags="-dynamic -m" > > > > *xn0 = external interface of the server > > > > Neither config allows Internet access. > > Try it with the default firewall_script, for a proper open firewall, > that you can condition to suit once your VPN stuff is all working. So in short, you think 'firewall_nat_enable' and a combination of some firewall_nat_flags will accomplish the gateway redirection to the WAN? Just want to make sure I'm following correctly. > pf is fine too of course, properly configured, but I hate seeing people > quit using ipfw because of some truly bad advice from >10 years ago :( > > As for this thread in general, it'd be really nice if people would not > re-re-quote long messages including tcpdumps to add one-line comments, > whether top- or bottom-posted - this digest was five times normal size. > > cheers, Ian > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >