NAT for use with OpenVPN

[Morgan Wesström]

> One additional thing. If you by any chance want to communicate with any 
> of the other machines on your LAN from the VPN clients (not just 
> Internet access), you need to add a static route for 10.8.0.0/24 
> pointing to 192.168.1.200 IN YOUR NETGEAR ROUTER or they won't know 
> where to send their replies. Preferably you'd add such a route to each 
> of your LAN machines but it's not strictly necessary since they will 
> send any 10.8.0.0/24 packets to your router which then will route it 
> back properly to your FreeBSD machine. This shouldn't be needed for the 
> basic OpenVPN communication though since as far as your router is 
> concerned, this only involves pushing udp packets to 192.168.1.200 and 
> it already knows how to reach that ip.
> 

I need to correct myself here. You absolutely MUST have a static route 
for 10.8.0.0/24 defined in your Netgear router or Internet traffic won't 
work from your VPN clients. The reason is that when FreeBSD routes these 
packets from the OpenVPN subnet onto your LAN subnet and onto the 
Netgear router, the source address of those packets will still have 
10.8.0.x in them and the router needs to know where this subnet is to be 
able to return packets there. This would be much simpler if your FreeBSD 
machine was working as your router instead of that Netgear router. :)

Another unknown is how the NAT in your Netgear router will respond to 
source packets coming from a subnet other than its own. Hopefully it 
will behave properly.

/Morgan