OpenVPN Client Nat question?

Fire walls fayerwall at gmail.com
Wed Jun 24 21:23:56 UTC 2009 

On Wed, Jun 24, 2009 at 12:47 PM, Torsten Kersandt
<torsten at cnc-london.net>wrote:

> > -----Original Message-----
> > From: owner-freebsd-pf at freebsd.org [mailto:owner-freebsd-pf at freebsd.org]
> > On
> > Behalf Of Fire walls
> > Sent: 24 June 2009 16:53
> > To: freebsd-pf at freebsd.org
> > Subject: OpenVPN Client Nat question?
> >
> >  Hi people.
> >
> >  Working with pf, every day I'm understanding more pf.
> >
> >   I have openvpn at work running on gentoo, I add my openvpn in my home
> FW
> > with freebsd 7.2, I setup everything and is working, I can reach my work
> > network.
> >
> >   I read some sites on internet about this setup and they say something
> > about NAT the openvpn network but doesn't explain if this must be done
> just
> > in the server side or both sides, I mean server + client.
> >
> >   In my case I'm a client, I have to NAT my vpn network?
> >
> > nat on $ext_if from $vpn_network to any -> ($ext_if)
> >
> >   Or just need to play with the pass/block rules?
> >
> >  Thanks all for your time!!!
> >
> > --
> > :-)
> > _______________________________________________
> > freebsd-pf at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> > To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
> >
> > This is what I have got on my boxes
> > Openvpn.conf:
> > server 10.12.215.0 255.255.255.0
> > ifconfig-pool-persist /usr/local/etc/openvpn/ipp.txt
> >
> > # Certificates for VPN Authentication
> > ca /usr/local/etc/openvpn/keys/soundnet/ca.crt
> > cert /usr/local/etc/openvpn/keys/soundnet/ca.crt
> > key /usr/local/etc/openvpn/keys/soundnet/ca.key
> > dh /usr/local/etc/openvpn/keys/soundnet/dh1024.pem
> >
> > # Routes to push to the client
> > push "route 192.168.100.0 255.255.255.0"
> > push "dhcp-option WINS 192.168.100.12"
> > push "dhcp-option DNS 192.168.100.12"
> > push "dhcp-option DNS 192.168.100.12"
> > push "dhcp-option DOMAIN home"
> >
> > pf.conf
> >        vpn_if="tun0"
> >        vpn_network="10.12.215.0/24"
> >
> >      nat on $ext_if from $vpn_network to any -> ($ext_if)
> >       nat on $int_if from $vpn_network to $int_net -> ($int_if)
> >
> >        pass in quick on $vpn_if
> >        pass out quick
> >
> > regards
> > Torsten
> >
> >
> >
>  Hi Torsten.
>
>  Hey but this config is for the server side right?
>
>  What questions is, if I have have to NAT to in the client side?
>
>  Thanks for your quick answer!!!
>
>
> --
> :-)
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
> The client side only needs to which route to which network to take.
> In this case my internal network is 192.168.100.0/24 and fully accessible
> by
> all openvpn connections.
>
> If you want your computer to fully become part (of the other sites network
> bi directional and fully accessible as in a common Micros..t Network),
> You may have to go down the bridging way , meaning tun0<-->ext_if, never
> done that and can't help on this.
> But as much as have been reading about it not a impossible thing to do
>
> Regards T
>
>
>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>

  Thanks Torsten.

   U already had answer my question, I appreciated your very well help and
time.

   See u latter, thanks again!!!

-- 
:-)

More information about the freebsd-pf mailing list