Fwd: Fwd: NAT for use with OpenVPN
Phil Staub
phil at staub.us
Tue Nov 12 01:50:05 UTC 2019
---------- Forwarded message ---------
From: Phil Staub <phil at staub.us>
Date: Mon, Nov 11, 2019 at 8:47 PM
Subject: Re: Fwd: NAT for use with OpenVPN
To: Morgan Wesström <freebsd-database at pp.dyndns.biz>
On Mon, Nov 11, 2019 at 5:15 PM Morgan Wesström <
freebsd-database at pp.dyndns.biz> wrote:
> Phil,
>
> I did some more testing in my own environment and you should be able to
> ping the following addresses from your connected client. It probably
> breaks down at some point and you need to tell me where:
>
> 10.8.0.6 (or whatever ip your vpn client receives)
> 10.8.0.1 (server endpoint of vpn tunnel)
> 192.168.1.200 (your FreeBSD LAN address)
> 192.168.1.1 (LAN side of your router)
>
> This was very much along the lines of what I had already planned to try. I
also pinged my public IP address 67.175.144.37.
Next ping test would be an address on the Internet like google.dns
> (8.8.8.8)
This is the ONLY ping that fails. :-(
> .
>
> Looking at the Netgear support forums, some people claim Netgear routers
> only does NAT for the subnet on its LAN interface while others claim it
> does NAT for any subnet. I checked the manual for your router but it
> doesn't explicitly say anything on this matter so this is still an unknown
I've spent a little time trying to find out how to get a routing table from
the router. I haven't had a lot of time to look, but I'm going to look a
little more after what I've found so far.
> .
>
> We didn't discuss the client side config. I will show you mine below
> with the server address obfuscated. You need to replace it with your
> router WAN ip.
>
> client
> dev tun
> proto udp
> remote ***.***.***.*** 1194
> resolv-retry infinite
> nobind
> persist-key
> persist-tun
> ca ca.crt
> cert client1.crt
> key client1.key
> ns-cert-type server
> verb 4
>
>
My client side configs are very similar.
I think the only differences are irrelevant or necessitated by the
server-side config (cipher option)
netstat -rn and ifconfig -a (ipconfig /all on Windows) from the
> connected client would be useful to further track down the problem if
> you can't resolve it.
>
I'm not a Windows fan, but since I have a Win10 laptop I use for stuff that
only runs on Windows, so I'll hold my nose and try some troubleshooting
from there. :-(
Here is the Windows Iipconfig:
Windows IP Configuration
Host Name . . . . . . . . . . . . : Han
Primary Dns Suffix . . . . . . . : staub.us
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : staub.us
Ethernet adapter Ethernet:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : D0-17-C2-0B-E3-28
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Unknown adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Windows Adapter V9
Physical Address. . . . . . . . . : 00-FF-A2-CF-90-6F
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . :
fe80::641d:f1e3:ff36:891e%14(Preferred)
IPv4 Address. . . . . . . . . . . : 10.8.0.5(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Lease Obtained. . . . . . . . . . : Monday, November 11, 2019 7:31:43 PM
Lease Expires . . . . . . . . . . : Tuesday, November 10, 2020 7:31:42 PM
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 10.8.0.6
DHCPv6 IAID . . . . . . . . . . . : 318832546
DHCPv6 Client DUID. . . . . . . . :
00-01-00-01-21-DF-60-8C-D0-17-C2-0B-E3-28
DNS Servers . . . . . . . . . . . : 1.1.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Wireless LAN adapter Local Area Connection* 2:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual
Adapter
Physical Address. . . . . . . . . : 48-45-20-50-78-AB
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Local Area Connection* 13:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual
Adapter #2
Physical Address. . . . . . . . . : 4A-45-20-50-78-AA
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Wi-Fi:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 7265
Physical Address. . . . . . . . . : 48-45-20-50-78-AA
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . :
fe80::1002:e557:a388:1315%13(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.5(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, November 10, 2019 11:06:24 PM
Lease Expires . . . . . . . . . . : Tuesday, November 12, 2019 11:06:23
AM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 38290720
DHCPv6 Client DUID. . . . . . . . :
00-01-00-01-21-DF-60-8C-D0-17-C2-0B-E3-28
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled
(I notice there is no default gateway specified for the TUN interface. I'll
have to look into that.)
And the routing table:
===========================================================================
Interface List
18...d0 17 c2 0b e3 28 ......Realtek PCIe GBE Family Controller
14...00 ff a2 cf 90 6f ......TAP-Windows Adapter V9
15...48 45 20 50 78 ab ......Microsoft Wi-Fi Direct Virtual Adapter
9...4a 45 20 50 78 aa ......Microsoft Wi-Fi Direct Virtual Adapter #2
13...48 45 20 50 78 aa ......Intel(R) Dual Band Wireless-AC 7265
1...........................Software Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.5 35
0.0.0.0 128.0.0.0 10.8.0.6 10.8.0.5 281
10.8.0.1 255.255.255.255 10.8.0.6 10.8.0.5 281
10.8.0.4 255.255.255.252 On-link 10.8.0.5 281
10.8.0.5 255.255.255.255 On-link 10.8.0.5 281
10.8.0.7 255.255.255.255 On-link 10.8.0.5 281
67.175.144.37 255.255.255.255 192.168.1.1 192.168.1.5 291
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
128.0.0.0 128.0.0.0 10.8.0.6 10.8.0.5 281
192.168.1.0 255.255.255.0 On-link 192.168.1.5 291
192.168.1.0 255.255.255.0 10.8.0.6 10.8.0.5 281
192.168.1.5 255.255.255.255 On-link 192.168.1.5 291
192.168.1.255 255.255.255.255 On-link 192.168.1.5 291
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 10.8.0.5 281
224.0.0.0 240.0.0.0 On-link 192.168.1.5 291
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 10.8.0.5 281
255.255.255.255 255.255.255.255 On-link 192.168.1.5 291
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
14 281 fe80::/64 On-link
13 291 fe80::/64 On-link
13 291 fe80::1002:e557:a388:1315/128
On-link
14 281 fe80::641d:f1e3:ff36:891e/128
On-link
1 331 ff00::/8 On-link
14 281 ff00::/8 On-link
13 291 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
> P.S. You have a .201 alias on the FreeBSD machine. It shouldn't
> interfere but I just wanted to make sure you were aware of it and had a
> reason for it.
>
> Yes, it's known and I was wondering if YOU would be wondering about it.
I have a PLEX server running in a jail on the same machine the OpenVPN
server is on, and that is the .201 address. Once I get things working on
the non-jail version, I'll build another jail for the OpenVPN process.
/Morgan
>
I'll update when I have more info about the router's routing table and the
default gateway .
Thanks,
Phil
_______________________________________________
> freebsd-pf at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
More information about the freebsd-pf
mailing list