From owner-freebsd-questions@FreeBSD.ORG Sun Feb 22 18:31:52 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 061E5BF7 for ; Sun, 22 Feb 2015 18:31:52 +0000 (UTC) Received: from h3lix.wtfayla.net (helix.wtfayla.net [24.105.170.68]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CCF9E2D1 for ; Sun, 22 Feb 2015 18:31:51 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by h3lix.wtfayla.net (Postfix) with ESMTP id 76C6C84FE1; Sun, 22 Feb 2015 13:30:18 -0500 (EST) Received: from h3lix.wtfayla.net ([127.0.0.1]) by localhost (h3lix.wtfayla.net [127.0.0.1]) (maiad, port 10024) with ESMTP id 57891-02; Sun, 22 Feb 2015 13:30:18 -0500 (EST) Received: from helix.wtfayla.net (helix.wtfayla.net [24.105.170.68]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by h3lix.wtfayla.net (Postfix) with ESMTPS id 14DA884FCD; Sun, 22 Feb 2015 13:30:18 -0500 (EST) Date: Sun, 22 Feb 2015 13:30:17 -0500 (EST) From: freebsd@fongaboo.com X-X-Sender: fongaboo@helix.wtfayla.net To: freebsd-questions@freebsd.org Subject: OpenVPN with NAT In-Reply-To: <20150126213658.48423c08.freebsd@edvax.de> Message-ID: References: <3kWFlD70VnzRRrw@baobab.bilink.it> <20150126213658.48423c08.freebsd@edvax.de> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Feb 2015 18:31:52 -0000 Have a FreeBSD 10 box I have set up with OpenVPN. I've gotten it working, terminating at the server, with both a FreeBSD and a Windows client. Now I am trying to route Internet traffic through the VPN and out the server's gateway. From what I have read, it involves: 1) Configuring the FreeBSD server to be a gateway router: gateway_enable="YES" (in /etc/rc.conf) 2) Enabling gateway redirection in OpenVPN on the server: push "redirect-gateway def1 bypass-dhcp" (in /usr/local/etc/openvpn/openvpn.conf) 3) NAT'ing the OpenVPN clients to the WAN interface of the server: From what I've read, this can be done three ways: A) Using IPFW and NATD B) Using IPFW and kernel-based NAT C) Using NAT functions in PF At the moment, I don't really want to go for option C, although open to it in the long-run. But switching to PF would require getting myself, and others working on this box, up to speed on PF... and recreating all my existing IPFW rules in PF. I've tried Option B, by entering IPFW rules such as: ipfw nat 1 config if em0 ipfw add nat 1 all from 10.8.0.0/24 to any out via bge0 ipfw add nat 1 all from any to any in via bge0 And I've tried Option A by enabling NATD as described below in a post from last month. Unlike that poster, I want ALL my clients to route out through the VPN gateway. So I tried the 'unrefined' line as it is displayed below. In all cases, the OpenVPN client does take over the gateway, but traffic goes nowhere. Nothing seems to make it out the external interface and back. NAT seems not to be succeeding no matter what I do. Any advice? TIA On Mon, 26 Jan 2015, Polytropon wrote: > On Mon, 26 Jan 2015 16:45:16 +0100, Luciano Mannucci wrote: >> I have a freebsd machine (FreeBSD troika 10.1-RELEASE FreeBSD 10.1-RELEASE #0 >> r274401) with openvpn that works like a charm :-)... >> I wish to nat one and only one of my openvpn clients, possibly for a >> single destination. What's the better way to avoid disturbing the rest >> of the operations? >> Any clues? >> Is IPFW my friend? > > Yes, that should work. In /etc/rc.conf, set > > natd_enable="YES" > natd_interface="xl0" > > where "xl0" is the "outer" interface. > > In your custom /etc/ipfw.conf, add the rule > > add divert natd ip from any to any via xl0 > > and refine the "from any to any" part to reflect the > IP addresses (and maybe specific ports) for the connection > you want to translate, so the rule will only allow for > that _one_ destination you want to enable. > > > -- > Polytropon > Magdeburg, Germany > Happy FreeBSD user since 4.0 > Andra moi ennepe, Mousa, ... > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >