NAT for use with OpenVPN
Morgan Wesström
freebsd-database at pp.dyndns.biz
Sun Nov 10 15:34:00 UTC 2019
> One additional thing. If you by any chance want to communicate with any
> of the other machines on your LAN from the VPN clients (not just
> Internet access), you need to add a static route for 10.8.0.0/24
> pointing to 192.168.1.200 IN YOUR NETGEAR ROUTER or they won't know
> where to send their replies. Preferably you'd add such a route to each
> of your LAN machines but it's not strictly necessary since they will
> send any 10.8.0.0/24 packets to your router which then will route it
> back properly to your FreeBSD machine. This shouldn't be needed for the
> basic OpenVPN communication though since as far as your router is
> concerned, this only involves pushing udp packets to 192.168.1.200 and
> it already knows how to reach that ip.
>
I need to correct myself here. You absolutely MUST have a static route
for 10.8.0.0/24 defined in your Netgear router or Internet traffic won't
work from your VPN clients. The reason is that when FreeBSD routes these
packets from the OpenVPN subnet onto your LAN subnet and onto the
Netgear router, the source address of those packets will still have
10.8.0.x in them and the router needs to know where this subnet is to be
able to return packets there. This would be much simpler if your FreeBSD
machine was working as your router instead of that Netgear router. :)
Another unknown is how the NAT in your Netgear router will respond to
source packets coming from a subnet other than its own. Hopefully it
will behave properly.
/Morgan
More information about the freebsd-pf
mailing list