OpenVPN with NAT
freebsd at fongaboo.com
freebsd at fongaboo.com
Sun Feb 22 18:45:44 UTC 2015
P.S. I believe I enabled the server to be a gateway immediately (without reboot) with:
sysctl net.inet.ip.forwarding=1
> sysctl -a | grep forwarding
net.inet.ip.forwarding: 1
I also had to do kldload ipdivert and kldload ipfw_nat before I could get
a lot of what I described to run without error (however, still
non-functional).
On Sun, 22 Feb 2015, freebsd at fongaboo.com wrote:
>
> Have a FreeBSD 10 box I have set up with OpenVPN. I've gotten it working,
> terminating at the server, with both a FreeBSD and a Windows client.
>
> Now I am trying to route Internet traffic through the VPN and out the
> server's gateway. From what I have read, it involves:
>
> 1) Configuring the FreeBSD server to be a gateway router:
>
> gateway_enable="YES" (in /etc/rc.conf)
>
> 2) Enabling gateway redirection in OpenVPN on the server:
>
> push "redirect-gateway def1 bypass-dhcp" (in
> /usr/local/etc/openvpn/openvpn.conf)
>
> 3) NAT'ing the OpenVPN clients to the WAN interface of the server:
>
> From what I've read, this can be done three ways:
>
> A) Using IPFW and NATD
>
> B) Using IPFW and kernel-based NAT
>
> C) Using NAT functions in PF
>
>
> At the moment, I don't really want to go for option C, although open to it in
> the long-run. But switching to PF would require getting myself, and others
> working on this box, up to speed on PF... and recreating all my existing IPFW
> rules in PF.
>
> I've tried Option B, by entering IPFW rules such as:
>
> ipfw nat 1 config if em0
> ipfw add nat 1 all from 10.8.0.0/24 to any out via bge0
> ipfw add nat 1 all from any to any in via bge0
>
> And I've tried Option A by enabling NATD as described below in a post from
> last month. Unlike that poster, I want ALL my clients to route out through
> the VPN gateway. So I tried the 'unrefined' line as it is displayed below.
>
> In all cases, the OpenVPN client does take over the gateway, but traffic goes
> nowhere. Nothing seems to make it out the external interface and back. NAT
> seems not to be succeeding no matter what I do. Any advice? TIA
>
>
> On Mon, 26 Jan 2015, Polytropon wrote:
>
>> On Mon, 26 Jan 2015 16:45:16 +0100, Luciano Mannucci wrote:
>>> I have a freebsd machine (FreeBSD troika 10.1-RELEASE FreeBSD 10.1-RELEASE
>>> #0
>>> r274401) with openvpn that works like a charm :-)...
>>> I wish to nat one and only one of my openvpn clients, possibly for a
>>> single destination. What's the better way to avoid disturbing the rest
>>> of the operations?
>>> Any clues?
>>> Is IPFW my friend?
>>
>> Yes, that should work. In /etc/rc.conf, set
>>
>> natd_enable="YES"
>> natd_interface="xl0"
>>
>> where "xl0" is the "outer" interface.
>>
>> In your custom /etc/ipfw.conf, add the rule
>>
>> add divert natd ip from any to any via xl0
>>
>> and refine the "from any to any" part to reflect the
>> IP addresses (and maybe specific ports) for the connection
>> you want to translate, so the rule will only allow for
>> that _one_ destination you want to enable.
>>
>>
>> --
>> Polytropon
>> Magdeburg, Germany
>> Happy FreeBSD user since 4.0
>> Andra moi ennepe, Mousa, ...
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to
>> "freebsd-questions-unsubscribe at freebsd.org"
>>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
More information about the freebsd-questions
mailing list