NAT for use with OpenVPN

Morgan Wesström freebsd-database at pp.dyndns.biz
Tue Nov 12 15:02:46 UTC 2019 

> I understand what you're saying here. I had hoped this wouldn't be a 
> problem, since I didn't have a problem with the VPN in my old router, 
> though I agree that this is NOT the same configuration.

NAT is usually only applied to packets arriving/departing on the 
physical external interface. When you access your external router ip 
from your LAN, no packets actually touch the physical interface but is 
only handled internally in the ip stack. I know there has been some SOHO 
routers on the market that had a setting to work around this but it 
violated a bunch of RFCs ofc.

> The problem I have with this explanation is that when I connect to the 
> VPN from my phone with the WiFi turned off, it connects via an outside 
> IP that is NOT my local router. In this case, the ping of 8.8.8.8 still 
> fails.

Ok, this is interesting. If I understood your previous post, from your 
vpn client you can ping everything on your local LAN up to and including 
the external ip of your router? This tells me that everything is 
correctly configured on your LAN, including the routing tables in your 
Netgear router. If the route was missing there you wouldn't get a reply 
from the router since it would have no idea where to send packets with a 
10.8.0.0/24 destination.
Right now my best guess is that your router only do NAT for the subnet 
directly attached to its LAN port (192.168.1.0/24) and just lets packets 
from 10.8.0.0/24 through without modification. Your ISP will promptly 
drop such packets. The only way to tell is if your router allows 
monitoring of the packets on its interfaces so we can check what 
source/destination ip addresses are present in the packets passing 
through it.
You can verify on the FreeBSD machine that at least those ping packets 
leave it correctly with a source address of 10.8.0.5 (vpn client ip) and 
a destination address of 8.8.8.8.

# tcpdump -ni em0 icmp

> I certainly appreciate all your help on this! have definitely filled in 
> a lot of blanks in my knowledge.

You're welcome, Phil. I've been using FreeBSD as my router/firewall for 
the past 15+ years but my knowledge is limited to things I experience in 
my own environment so it's not always that easy to help others.

A general suggestion, if you have the time and interest to install and 
configure FreeBSD, you'd be better off to replace your Netgear router 
with a FreeBSD machine. The major benefit is that there will always be 
security updates available whereas Netgear and other SOHO manufacturers 
will abandon their products after a couple of years. You will also have 
all the tools available to monitor and analyse your traffic which will 
help you with troubleshooting. You also have the flexibility to install 
any software available for the platform and configure it to your own 
needs. If the command prompt is scary, there are a few graphical 
distributions that are based on FreeBSD, like pfSense for example.

/Morgan

More information about the freebsd-pf mailing list