OpenVPN with NAT
freebsd at fongaboo.com
freebsd at fongaboo.com
Sun Feb 22 18:45:44 UTC 2015
P.S. I believe I enabled the server to be a gateway immediately (without reboot) with:
> sysctl -a | grep forwarding
I also had to do kldload ipdivert and kldload ipfw_nat before I could get
a lot of what I described to run without error (however, still
On Sun, 22 Feb 2015, freebsd at fongaboo.com wrote:
> Have a FreeBSD 10 box I have set up with OpenVPN. I've gotten it working,
> terminating at the server, with both a FreeBSD and a Windows client.
> Now I am trying to route Internet traffic through the VPN and out the
> server's gateway. From what I have read, it involves:
> 1) Configuring the FreeBSD server to be a gateway router:
> gateway_enable="YES" (in /etc/rc.conf)
> 2) Enabling gateway redirection in OpenVPN on the server:
> push "redirect-gateway def1 bypass-dhcp" (in
> 3) NAT'ing the OpenVPN clients to the WAN interface of the server:
> From what I've read, this can be done three ways:
> A) Using IPFW and NATD
> B) Using IPFW and kernel-based NAT
> C) Using NAT functions in PF
> At the moment, I don't really want to go for option C, although open to it in
> the long-run. But switching to PF would require getting myself, and others
> working on this box, up to speed on PF... and recreating all my existing IPFW
> rules in PF.
> I've tried Option B, by entering IPFW rules such as:
> ipfw nat 1 config if em0
> ipfw add nat 1 all from 10.8.0.0/24 to any out via bge0
> ipfw add nat 1 all from any to any in via bge0
> And I've tried Option A by enabling NATD as described below in a post from
> last month. Unlike that poster, I want ALL my clients to route out through
> the VPN gateway. So I tried the 'unrefined' line as it is displayed below.
> In all cases, the OpenVPN client does take over the gateway, but traffic goes
> nowhere. Nothing seems to make it out the external interface and back. NAT
> seems not to be succeeding no matter what I do. Any advice? TIA
> On Mon, 26 Jan 2015, Polytropon wrote:
>> On Mon, 26 Jan 2015 16:45:16 +0100, Luciano Mannucci wrote:
>>> I have a freebsd machine (FreeBSD troika 10.1-RELEASE FreeBSD 10.1-RELEASE
>>> r274401) with openvpn that works like a charm :-)...
>>> I wish to nat one and only one of my openvpn clients, possibly for a
>>> single destination. What's the better way to avoid disturbing the rest
>>> of the operations?
>>> Any clues?
>>> Is IPFW my friend?
>> Yes, that should work. In /etc/rc.conf, set
>> where "xl0" is the "outer" interface.
>> In your custom /etc/ipfw.conf, add the rule
>> add divert natd ip from any to any via xl0
>> and refine the "from any to any" part to reflect the
>> IP addresses (and maybe specific ports) for the connection
>> you want to translate, so the rule will only allow for
>> that _one_ destination you want to enable.
>> Magdeburg, Germany
>> Happy FreeBSD user since 4.0
>> Andra moi ennepe, Mousa, ...
>> freebsd-questions at freebsd.org mailing list
>> To unsubscribe, send any mail to
>> "freebsd-questions-unsubscribe at freebsd.org"
> freebsd-questions at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions