Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 11 Nov 2019 23:14:54 +0100
From:      =?UTF-8?Q?Morgan_Wesstr=c3=b6m?= <freebsd-database@pp.dyndns.biz>
To:        freebsd-pf@freebsd.org
Subject:   Re: Fwd: NAT for use with OpenVPN
Message-ID:  <30f8da8a-de96-f737-fef8-820c6ae2ed16@pp.dyndns.biz>
In-Reply-To: <6bc9b8ce-3ab3-2b57-510d-67ace0a90259@pp.dyndns.biz>
References:  <mailman.6.1573387200.62111.freebsd-pf@freebsd.org> <CAMnCm8gO%2BdZwEKdM3iKwrNoxNDZmFZ8EUo=Mrh0%2BOQ%2BSE_SO8w@mail.gmail.com> <1cebcd5e-d9ed-53db-2d01-c8794933d1c4@pp.dyndns.biz> <80ec074d-7a5d-7016-57e4-f607384d0e20@pp.dyndns.biz> <CAMnCm8iz7DcgTM_tPR5ZGZQwPXXcahVbyqw0Wzufkr93xVszpg@mail.gmail.com> <CAMnCm8jZH8ZULq8CKeZF_t4eBEBH5QAsaPKBtxK0WCWGe_OXDA@mail.gmail.com> <ba536474-57b4-37b0-d076-a1c4561d181e@pp.dyndns.biz> <CAP9XWJm2gAC0VjTejP08X0T8ar_ZS1e7PqjAy8iOMRhfBU_3mA@mail.gmail.com> <6bc9b8ce-3ab3-2b57-510d-67ace0a90259@pp.dyndns.biz>

next in thread | previous in thread | raw e-mail | index | archive | help
Phil,

I did some more testing in my own environment and you should be able to 
ping the following addresses from your connected client. It probably 
breaks down at some point and you need to tell me where:

10.8.0.6 (or whatever ip your vpn client receives)
10.8.0.1 (server endpoint of vpn tunnel)
192.168.1.200 (your FreeBSD LAN address)
192.168.1.1 (LAN side of your router)

Next ping test would be an address on the Internet like google.dns 
(8.8.8.8).

Looking at the Netgear support forums, some people claim Netgear routers 
only does NAT for the subnet on its LAN interface while others claim it 
does NAT for any subnet. I checked the manual for your router but it 
doesn't explicitly say anything on this matter so this is still an unknown.

We didn't discuss the client side config. I will show you mine below 
with the server address obfuscated. You need to replace it with your 
router WAN ip.

client
dev tun
proto udp
remote ***.***.***.*** 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
verb 4

netstat -rn and ifconfig -a (ipconfig /all on Windows) from the 
connected client would be useful to further track down the problem if 
you can't resolve it.

P.S. You have a .201 alias on the FreeBSD machine. It shouldn't 
interfere but I just wanted to make sure you were aware of it and had a 
reason for it.

/Morgan



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?30f8da8a-de96-f737-fef8-820c6ae2ed16>