freebsd-pf Digest, Vol 689, Issue 3

Phil Staub phil at staub.us
Sun Nov 10 13:43:19 UTC 2019 

> Ah, you have a standalone SOHO router. That changes things drastically. :)
>
> Exactly!


> I assume the computers on your LAN (including FreeBSD) have private IP
> addresses (192.168.x.x)? In that case your Netgear router is doing the
> NAT for you and you don't need to worry about that part.
>
>
Yes. I know it's lazy, but I left the local subnet as the route default of
192.168.1.0/24. All of my local hosts are on that subnet. .

I'm PARTIALLY in agreement here.The OpenVPN clients are being assigned
10.8.0.x addresses. Somehow, those addresses need to be translated into the
OpenVPN server's address to provide their access to the internet.

- You need to forward port 1194/udp (or whatever you chose for OpenVPN)
> in your Netgear router so it points to the IP address of your FreeBSD
> machine. Consult the router's manual how to do port forwarding.
>
>
This is done and appears to be working fine, because the OpenVPN log
registers 10.8.0.x connections when they come in.

- The firewall in the Netgear router also needs to allow incoming
> connections on this port. It's probably setup along with the port
> forwarding but once again you need to consult the Netgear manual.
>

The firewall isn't configurable on this router. But as I mentioned above,
it obviously takes the configured forwarded port as an indication that it
needs to allow that connection through to the local net.


> - You can disable pf on your FreeBSD machine unless you absolutely want
> an extra firewall to protect it. I strongly suggest you disable it at
> this point though until you have the OpenVPN server running. It's
> protected behind your Netgear router


I don't care about the firewalling capabilities of PF in this case. I only
use it to establish the connection between the 10.8.0.0/24 and
192.168.1.0/24 subnets. I fully accept the possibility that I have a
misconception about what is necessary here, but without doing SOMETHING,
the 10.8.0.x connections make it to OpenVPN and go no further.

.
>
> So to sum up:
>
> - Configure firewall and port forwarding in your Netgear router.
>
>
Done


> - Configure the OpenVPN server on FreeBSD.
>
>
At least partially done.

One caveat to look out for:
>
> I'm not familiar with your Arris modem. Make sure it doesn't do routing
> and NAT too so you have two layers of NAT since that would complicate
> things. Make sure your modem is in bridge mode and that your Netgear
> router has a public IP address on the interface connected to the modem.
>
>
The modem doesn't do NAT. The WAN side of the router has a public ip, and
there is nothing else on the connection between the modem and the router.


Regards
> Morgan
>
>
>
>
>
>
> Phil, I forgot...
>
> OpenVPN needs its own subnet in the config file. Make sure you don't use
> the same subnet as your LAN uses because that would confuse the routing
> and could result in the behaviour you describe in your initial post.
> Data would reach the server but return packets wouldn't find their way
> back onto the Internet.
>
>
This may be the crux of the matter. I'm not sure I know how I would set
this up.


> I would need to see your OpenVPN config and details about the subnets
> you use to spot any errors.
>

Here is my OpenVPN config:

local 192.168.1.200
port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/ca.crt
cert /usr/local/etc/openvpn/server.crt
dh /usr/local/etc/openvpn/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
client-config-dir /usr/local/etc/openvpn/ccd
route 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
keepalive 10 120
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
log-append  openvpn.log
verb 4
explicit-exit-notify 1zzz


> /Morgan
>
>
Thanks, Morgan!
Phil

More information about the freebsd-pf mailing list