From owner-freebsd-questions@freebsd.org Tue Sep 5 08:53:32 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 026F7E21522 for ; Tue, 5 Sep 2017 08:53:32 +0000 (UTC) (envelope-from 4250.10.freebsd-questions=freebsd.org@email-od.com) Received: from bca5.email-od.com (bca5.email-od.com [207.246.239.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CE24F3F56 for ; Tue, 5 Sep 2017 08:53:31 +0000 (UTC) (envelope-from 4250.10.freebsd-questions=freebsd.org@email-od.com) DKIM-Signature: v=1; a=rsa-sha256; d=email-od.com;i=@email-od.com;s=dkim; c=relaxed/relaxed; q=dns/txt; t=1504601612; x=1507193612; h=x-thread-info:date:from:to:subject:message-id:in-reply-to:references:mime-version:content-type:content-transfer-encoding; bh=uE22zYAjUyUgaMHdoF6lgF/6pDvNJDPyyickNbVmX2E=; b=vwLddyHI8ocQnIEP7hEKooLHR+amaAyGquIDWbPuJqxDDZNjgzBdJLo2ZX35Cq/PZJDqy1aKHLJOmGZG3qUM4kovxSSRvsnYWBSA+eLh8EXTq+E8Oc7IpblKsZEowhSWw8Akmjqwn0pCLbfSqJlMCZmZvY1l6mWY5UbKjiDGdC8= X-Thread-Info: NDI1MC4xMi5kZDAwMDAwMDdhYjllOS5mcmVlYnNkLXF1ZXN0aW9ucz1mcmVlYnNkLm9yZw== Received: from r1.h.in.socketlabs.com (r1.h.in.socketlabs.com [142.0.180.11]) by bca2.email-od.com with ESMTP(version=Tls12 cipher=Aes256 bits=256); Tue, 5 Sep 2017 04:53:23 -0400 Received: from smtp.lan.sohara.org (EMTPY [89.127.62.20]) by r1.h.in.socketlabs.com with ESMTP(version=Tls12 cipher=Aes256 bits=256); Tue, 5 Sep 2017 04:53:22 -0400 Received: from [192.168.63.1] (helo=steve.lan.sohara.org) by smtp.lan.sohara.org with smtp (Exim 4.89 (FreeBSD)) (envelope-from ) id 1dp9bk-000HJU-Hl for freebsd-questions@freebsd.org; Tue, 05 Sep 2017 08:53:20 +0000 Date: Tue, 5 Sep 2017 09:53:20 +0100 From: Steve O'Hara-Smith To: freebsd-questions@freebsd.org Subject: Re: openvpn Message-Id: <20170905095320.c18c3940ff2af2c79dcce8e1@sohara.org> In-Reply-To: <4DAB2317-52AD-463E-891C-811BE7E9ED76@mail.sermon-archive.info> References: <440b79af-a159-1806-122e-155c26f42417@baywinds.org> <4DAB2317-52AD-463E-891C-811BE7E9ED76@mail.sermon-archive.info> X-Mailer: Sylpheed 3.5.1 (GTK+ 2.24.31; amd64-portbld-freebsd11.0) X-Clacks-Overhead: "GNU Terry Pratchett" Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Sep 2017 08:53:32 -0000 On Mon, 4 Sep 2017 23:33:38 -0700 Doug Hardie wrote: > Thanks for the info. I am making headway on this. I used the > server.conf file and after a bit of horsing around with the key file, I > got a connection to work. However, there are still some routing issues > from the client to local machines. While everything works well with IP > addresses, DNS is an issue. Ios is still going to the internet for DNS. That is easily fixed, you'll want a line like this in your openvpn config: push "dhcp-option DNS 192.168.63.238" Obviously change the IP address to wherever your DNS server is. > I need to be able to tell it to "drop" the internet connection for > everything (except connectivity) and use the VPN or to use the VPN for > DNS. I am using routing, but wonder if bridging might be a better The latter (VPN for DNS) is usually the best approach, there's a lot to be said for only putting traffic over the VPN that needs to go there. > approach. Bridging is rarely the best option. -- Steve O'Hara-Smith