STUMPED: Setting up OpenVPN server on FreeBSD (self.freebsd)

Fongaboo freebsd at fongaboo.com
Sat Aug 26 13:10:33 UTC 2017 

I'm following this tutorial:

https://www.digitalocean.com/community/tutorials/how-to-configure-and-connect-to-a-private-openvpn-server-on-freebsd-10-1

Trying this on an AWS instance first and then planning to try on a bare metal colo server.

OpenVPN client and daemon seem to be working, in terms of handshaking and 
connecting with each other. Problem is, no matter what I do, connected 
clients can't get out to the Internet through the server's gateway 
interface.

I've tried setting up NATD, like the tutorial instructs. I've tried 
enabling ipfw_nat as described in this comment:

https://www.digitalocean.com/community/tutorials/how-to-configure-and-connect-to-a-private-openvpn-server-on-freebsd-10-1?comment=40498

rc.conf (for NATD):

#enable firewall
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"
firewall_type="open"

gateway_enable="YES"
natd_enable="YES"
natd_interface="xn0"
natd_flags="-dynamic -m"

rc.conf (revised for ipfw_nat):

#enable firewall
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"
firewall_type="open"
firewall_nat_enable="YES"
firewall_nat_interface="xn0"

gateway_enable="YES"
#natd_enable="YES"
#natd_interface="xn0"
#natd_flags="-dynamic -m"

*xn0 = external interface of the server

Neither config allows Internet access. I have this line enabled in 
/usr/local/etc/openvpn/openvpn.conf:

push "redirect-gateway def1 bypass-dhcp"

Perhaps this is part of the solution?:

# Configure server mode for ethernet bridging
# using a DHCP-proxy, where clients talk
# to the OpenVPN server-side DHCP server
# to receive their IP address allocation
# and DNS server addresses.  You must first use
# your OS's bridging capability to bridge the TAP
# interface with the ethernet NIC interface.
# Note: this mode only works on clients (such as
# Windows), where the client-side TAP adapter is
# bound to a DHCP client.
;server-bridge

Any advice would be appreciated. I'm willing to try any combination of 
ipfw vs. pf or natd vs. ipfw_nat or whatever if it will allow clients to 
see the WAN. TIA!

More information about the freebsd-questions mailing list