Date: Sun, 10 Nov 2019 23:27:14 +0100 From: =?UTF-8?Q?Morgan_Wesstr=c3=b6m?= <freebsd-database@pp.dyndns.biz> To: freebsd-pf@freebsd.org Subject: Re: Fwd: NAT for use with OpenVPN Message-ID: <ba536474-57b4-37b0-d076-a1c4561d181e@pp.dyndns.biz> In-Reply-To: <CAMnCm8jZH8ZULq8CKeZF_t4eBEBH5QAsaPKBtxK0WCWGe_OXDA@mail.gmail.com> References: <mailman.6.1573387200.62111.freebsd-pf@freebsd.org> <CAMnCm8gO%2BdZwEKdM3iKwrNoxNDZmFZ8EUo=Mrh0%2BOQ%2BSE_SO8w@mail.gmail.com> <1cebcd5e-d9ed-53db-2d01-c8794933d1c4@pp.dyndns.biz> <80ec074d-7a5d-7016-57e4-f607384d0e20@pp.dyndns.biz> <CAMnCm8iz7DcgTM_tPR5ZGZQwPXXcahVbyqw0Wzufkr93xVszpg@mail.gmail.com> <CAMnCm8jZH8ZULq8CKeZF_t4eBEBH5QAsaPKBtxK0WCWGe_OXDA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Do packets with 10.8.0.x addresses ever actually make it on the wire > between the router and the OpenVPN server? I was under the impression that > the encrypted packets created a tunnel at which the IP address is only > known at the endpoints, which means the OpenVPN client and server > processes, and nothing in between has any access to anything that is going > on within the tunnel. If this is the case, I wouldn't think the router > needs to know how to deal with 10.8.0.x packets. > > Furthermore, this pretty much HAS to be the case. The 10.8.0.x addresses > can't be routed across the internet, so the only way they could exist on my > private network would be as a result of NATing on the part of the router, > and I'm pretty sure this isn't happening. > > But then this re-opens the question of how the connection happens between > the server end of the tunnel (10.8.0.1) and the public interface at > 192.168.1.200. It would seem that there needs to be some routing > information within OpenVPN that makes that connection. > > Am I way off here? > > Phil Look at it this way. The VPN software has the same effect as if the client was located in your house and directly connected with a cable to your 10.8.0.0/24 subnet. Any configuration to support this must be done on the FreeBSD machine as well as your router. The router will definitely see the 10.8.0.0/24 addresses on its LAN interface but as you note, these addresses will never show up on the external interface. Your NAT will exchange these addresses on the fly and any traffic between the OpenVPN endpoints will be encrypted and encapsulated in another ip packet where only the external public ip addresses are shown. At this point I started to write a detailed description of how a packet is transferred from your client over the VPN tunnel and then onto the Internet and to its destination but it got overly complicated and probably won't help you at this point. :) Let's instead start to get some more info from your network. When your client is connected, can you please provide the output of the following commands on both the client and the FreeBSD machine? # ifconfig -a # netstat -rn I need to see how the ip stack is configured on each machine and how the routing tables look. /Morgan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ba536474-57b4-37b0-d076-a1c4561d181e>