NAT for use with OpenVPN
Morgan Wesström
freebsd-database at pp.dyndns.biz
Tue Nov 12 15:02:46 UTC 2019
> I understand what you're saying here. I had hoped this wouldn't be a
> problem, since I didn't have a problem with the VPN in my old router,
> though I agree that this is NOT the same configuration.
NAT is usually only applied to packets arriving/departing on the
physical external interface. When you access your external router ip
from your LAN, no packets actually touch the physical interface but is
only handled internally in the ip stack. I know there has been some SOHO
routers on the market that had a setting to work around this but it
violated a bunch of RFCs ofc.
> The problem I have with this explanation is that when I connect to the
> VPN from my phone with the WiFi turned off, it connects via an outside
> IP that is NOT my local router. In this case, the ping of 8.8.8.8 still
> fails.
Ok, this is interesting. If I understood your previous post, from your
vpn client you can ping everything on your local LAN up to and including
the external ip of your router? This tells me that everything is
correctly configured on your LAN, including the routing tables in your
Netgear router. If the route was missing there you wouldn't get a reply
from the router since it would have no idea where to send packets with a
10.8.0.0/24 destination.
Right now my best guess is that your router only do NAT for the subnet
directly attached to its LAN port (192.168.1.0/24) and just lets packets
from 10.8.0.0/24 through without modification. Your ISP will promptly
drop such packets. The only way to tell is if your router allows
monitoring of the packets on its interfaces so we can check what
source/destination ip addresses are present in the packets passing
through it.
You can verify on the FreeBSD machine that at least those ping packets
leave it correctly with a source address of 10.8.0.5 (vpn client ip) and
a destination address of 8.8.8.8.
# tcpdump -ni em0 icmp
> I certainly appreciate all your help on this! have definitely filled in
> a lot of blanks in my knowledge.
You're welcome, Phil. I've been using FreeBSD as my router/firewall for
the past 15+ years but my knowledge is limited to things I experience in
my own environment so it's not always that easy to help others.
A general suggestion, if you have the time and interest to install and
configure FreeBSD, you'd be better off to replace your Netgear router
with a FreeBSD machine. The major benefit is that there will always be
security updates available whereas Netgear and other SOHO manufacturers
will abandon their products after a couple of years. You will also have
all the tools available to monitor and analyse your traffic which will
help you with troubleshooting. You also have the flexibility to install
any software available for the platform and configure it to your own
needs. If the command prompt is scary, there are a few graphical
distributions that are based on FreeBSD, like pfSense for example.
/Morgan
More information about the freebsd-pf
mailing list