Fwd: NAT for use with OpenVPN

Phil Staub phil at staub.us
Sun Nov 10 23:51:38 UTC 2019 

On Sun, Nov 10, 2019 at 5:27 PM Morgan Wesström <
freebsd-database at pp.dyndns.biz> wrote:

> > Do packets with 10.8.0.x addresses ever actually make it on the wire
> > between the router and the OpenVPN server? I was under the impression
> that
> > the encrypted packets created a tunnel at which the IP address is only
> > known at the endpoints, which means the OpenVPN client and server
> > processes, and nothing in between has any access to anything that is
> going
> > on within the tunnel. If this is the case, I wouldn't think the router
> > needs to know how to deal with 10.8.0.x packets.
> >
> > Furthermore, this pretty much HAS to be the case. The 10.8.0.x addresses
> > can't be routed across the internet, so the only way they could exist on
> my
> > private network would be as a result of NATing on the part of the router,
> > and I'm pretty sure this isn't happening.
> >
> > But then this re-opens the question of how the connection happens between
> > the server end of the tunnel (10.8.0.1) and the public interface at
> > 192.168.1.200. It would seem that there needs to be some routing
> > information within OpenVPN that makes that connection.
> >
> > Am I way off here?
> >
> > Phil
>
> Look at it this way. The VPN software has the same effect as if the
> client was located in your house and directly connected with a cable to
> your 10.8.0.0/24 subnet. Any configuration to support this must be done
> on the FreeBSD machine as well as your router. The router will
> definitely see the 10.8.0.0/24 addresses on its LAN interface but as you
> note, these addresses will never show up on the external interface. Your
> NAT will exchange these addresses on the fly and any traffic between the
> OpenVPN endpoints will be encrypted and encapsulated in another ip
> packet where only the external public ip addresses are shown.
>
> At this point I started to write a detailed description of how a packet
> is transferred from your client over the VPN tunnel and then onto the
> Internet and to its destination but it got overly complicated and
> probably won't help you at this point. :) Let's instead start to get
> some more info from your network. When your client is connected, can you
> please provide the output of the following commands on both the client
> and the FreeBSD machine?
>
> # ifconfig -a
>
> # netstat -rn
>
> I need to see how the ip stack is configured on each machine and how the
> routing tables look.
>
>
OK. Here it comes:

root at threepio:/usr/local/etc/openvpn # netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.1.1        UGS         em0
10.8.0.0/24        10.8.0.2           UGS        tun0
10.8.0.1           link#4             UHS         lo0
10.8.0.2           link#4             UH         tun0
127.0.0.1          lo0                UHS         lo0
192.168.1.0/24     link#1             U           em0
192.168.1.200      link#1             UHS         lo0
192.168.1.201      link#1             UHS         lo0

Internet6:
Destination                       Gateway                       Flags
Netif Expire
::/96                             ::1                           UGRS
 lo0
::1                               lo0                           UHS
lo0
::ffff:0.0.0.0/96                 ::1                           UGRS
 lo0
fe80::/10                         ::1                           UGRS
 lo0
fe80::%lo0/64                     link#2                        U
lo0
fe80::1%lo0                       link#2                        UHS
lo0
fe80::%tun0/64                    link#4                        U
 tun0
fe80::6a05:caff:fe3b:a7c7%tun0    link#4                        UHS
lo0
ff02::/16                         ::1                           UGRS
 lo0
root at threepio:/usr/local/etc/openvpn # ifconfig -a
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=81249b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LRO,WOL_MAGIC,VLAN_HWFILTER>
ether 68:05:ca:3b:a7:c7
inet 192.168.1.200 netmask 0xffffff00 broadcast 192.168.1.255
inet 192.168.1.201 netmask 0xffffff00 broadcast 192.168.1.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo1: flags=8008<LOOPBACK,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
groups: lo
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
inet6 fe80::6a05:caff:fe3b:a7c7%tun0 prefixlen 64 scopeid 0x4
inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
groups: tun
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Opened by PID 15992

_______________________________________________

> freebsd-pf at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>


-- 
Phil Staub
phil at staub.us

More information about the freebsd-pf mailing list