From owner-freebsd-questions@FreeBSD.ORG Sun Feb 22 18:45:44 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 255DEE4 for ; Sun, 22 Feb 2015 18:45:44 +0000 (UTC) Received: from h3lix.wtfayla.net (helix.wtfayla.net [24.105.170.68]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D631C3EA for ; Sun, 22 Feb 2015 18:45:43 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by h3lix.wtfayla.net (Postfix) with ESMTP id C2B4C851C6 for ; Sun, 22 Feb 2015 13:44:17 -0500 (EST) Received: from h3lix.wtfayla.net ([127.0.0.1]) by localhost (h3lix.wtfayla.net [127.0.0.1]) (maiad, port 10024) with ESMTP id 58153-06 for ; Sun, 22 Feb 2015 13:44:17 -0500 (EST) Received: from helix.wtfayla.net (helix.wtfayla.net [24.105.170.68]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by h3lix.wtfayla.net (Postfix) with ESMTPS id 7592B84AB7 for ; Sun, 22 Feb 2015 13:44:17 -0500 (EST) Date: Sun, 22 Feb 2015 13:44:17 -0500 (EST) From: freebsd@fongaboo.com X-X-Sender: fongaboo@helix.wtfayla.net To: freebsd-questions@freebsd.org Subject: Re: OpenVPN with NAT In-Reply-To: Message-ID: References: <3kWFlD70VnzRRrw@baobab.bilink.it> <20150126213658.48423c08.freebsd@edvax.de> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Feb 2015 18:45:44 -0000 P.S. I believe I enabled the server to be a gateway immediately (without reboot) with: sysctl net.inet.ip.forwarding=1 > sysctl -a | grep forwarding net.inet.ip.forwarding: 1 I also had to do kldload ipdivert and kldload ipfw_nat before I could get a lot of what I described to run without error (however, still non-functional). On Sun, 22 Feb 2015, freebsd@fongaboo.com wrote: > > Have a FreeBSD 10 box I have set up with OpenVPN. I've gotten it working, > terminating at the server, with both a FreeBSD and a Windows client. > > Now I am trying to route Internet traffic through the VPN and out the > server's gateway. From what I have read, it involves: > > 1) Configuring the FreeBSD server to be a gateway router: > > gateway_enable="YES" (in /etc/rc.conf) > > 2) Enabling gateway redirection in OpenVPN on the server: > > push "redirect-gateway def1 bypass-dhcp" (in > /usr/local/etc/openvpn/openvpn.conf) > > 3) NAT'ing the OpenVPN clients to the WAN interface of the server: > > From what I've read, this can be done three ways: > > A) Using IPFW and NATD > > B) Using IPFW and kernel-based NAT > > C) Using NAT functions in PF > > > At the moment, I don't really want to go for option C, although open to it in > the long-run. But switching to PF would require getting myself, and others > working on this box, up to speed on PF... and recreating all my existing IPFW > rules in PF. > > I've tried Option B, by entering IPFW rules such as: > > ipfw nat 1 config if em0 > ipfw add nat 1 all from 10.8.0.0/24 to any out via bge0 > ipfw add nat 1 all from any to any in via bge0 > > And I've tried Option A by enabling NATD as described below in a post from > last month. Unlike that poster, I want ALL my clients to route out through > the VPN gateway. So I tried the 'unrefined' line as it is displayed below. > > In all cases, the OpenVPN client does take over the gateway, but traffic goes > nowhere. Nothing seems to make it out the external interface and back. NAT > seems not to be succeeding no matter what I do. Any advice? TIA > > > On Mon, 26 Jan 2015, Polytropon wrote: > >> On Mon, 26 Jan 2015 16:45:16 +0100, Luciano Mannucci wrote: >>> I have a freebsd machine (FreeBSD troika 10.1-RELEASE FreeBSD 10.1-RELEASE >>> #0 >>> r274401) with openvpn that works like a charm :-)... >>> I wish to nat one and only one of my openvpn clients, possibly for a >>> single destination. What's the better way to avoid disturbing the rest >>> of the operations? >>> Any clues? >>> Is IPFW my friend? >> >> Yes, that should work. In /etc/rc.conf, set >> >> natd_enable="YES" >> natd_interface="xl0" >> >> where "xl0" is the "outer" interface. >> >> In your custom /etc/ipfw.conf, add the rule >> >> add divert natd ip from any to any via xl0 >> >> and refine the "from any to any" part to reflect the >> IP addresses (and maybe specific ports) for the connection >> you want to translate, so the rule will only allow for >> that _one_ destination you want to enable. >> >> >> -- >> Polytropon >> Magdeburg, Germany >> Happy FreeBSD user since 4.0 >> Andra moi ennepe, Mousa, ... >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "freebsd-questions-unsubscribe@freebsd.org" >> > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >