Fwd: NAT for use with OpenVPN

Morgan Wesström freebsd-database at pp.dyndns.biz
Sun Nov 10 22:27:28 UTC 2019 

> Do packets with 10.8.0.x addresses ever actually make it on the wire
> between the router and the OpenVPN server? I was under the impression that
> the encrypted packets created a tunnel at which the IP address is only
> known at the endpoints, which means the OpenVPN client and server
> processes, and nothing in between has any access to anything that is going
> on within the tunnel. If this is the case, I wouldn't think the router
> needs to know how to deal with 10.8.0.x packets.
> 
> Furthermore, this pretty much HAS to be the case. The 10.8.0.x addresses
> can't be routed across the internet, so the only way they could exist on my
> private network would be as a result of NATing on the part of the router,
> and I'm pretty sure this isn't happening.
> 
> But then this re-opens the question of how the connection happens between
> the server end of the tunnel (10.8.0.1) and the public interface at
> 192.168.1.200. It would seem that there needs to be some routing
> information within OpenVPN that makes that connection.
> 
> Am I way off here?
> 
> Phil

Look at it this way. The VPN software has the same effect as if the 
client was located in your house and directly connected with a cable to 
your 10.8.0.0/24 subnet. Any configuration to support this must be done 
on the FreeBSD machine as well as your router. The router will 
definitely see the 10.8.0.0/24 addresses on its LAN interface but as you 
note, these addresses will never show up on the external interface. Your 
NAT will exchange these addresses on the fly and any traffic between the 
OpenVPN endpoints will be encrypted and encapsulated in another ip 
packet where only the external public ip addresses are shown.

At this point I started to write a detailed description of how a packet 
is transferred from your client over the VPN tunnel and then onto the 
Internet and to its destination but it got overly complicated and 
probably won't help you at this point. :) Let's instead start to get 
some more info from your network. When your client is connected, can you 
please provide the output of the following commands on both the client 
and the FreeBSD machine?

# ifconfig -a

# netstat -rn

I need to see how the ip stack is configured on each machine and how the 
routing tables look.

/Morgan

More information about the freebsd-pf mailing list