STUMPED: Setting up OpenVPN server on FreeBSD (self.freebsd)
Fongaboo
freebsd at fongaboo.com
Sat Aug 26 13:10:33 UTC 2017
I'm following this tutorial:
https://www.digitalocean.com/community/tutorials/how-to-configure-and-connect-to-a-private-openvpn-server-on-freebsd-10-1
Trying this on an AWS instance first and then planning to try on a bare metal colo server.
OpenVPN client and daemon seem to be working, in terms of handshaking and
connecting with each other. Problem is, no matter what I do, connected
clients can't get out to the Internet through the server's gateway
interface.
I've tried setting up NATD, like the tutorial instructs. I've tried
enabling ipfw_nat as described in this comment:
https://www.digitalocean.com/community/tutorials/how-to-configure-and-connect-to-a-private-openvpn-server-on-freebsd-10-1?comment=40498
rc.conf (for NATD):
#enable firewall
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"
firewall_type="open"
gateway_enable="YES"
natd_enable="YES"
natd_interface="xn0"
natd_flags="-dynamic -m"
rc.conf (revised for ipfw_nat):
#enable firewall
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"
firewall_type="open"
firewall_nat_enable="YES"
firewall_nat_interface="xn0"
gateway_enable="YES"
#natd_enable="YES"
#natd_interface="xn0"
#natd_flags="-dynamic -m"
*xn0 = external interface of the server
Neither config allows Internet access. I have this line enabled in
/usr/local/etc/openvpn/openvpn.conf:
push "redirect-gateway def1 bypass-dhcp"
Perhaps this is part of the solution?:
# Configure server mode for ethernet bridging
# using a DHCP-proxy, where clients talk
# to the OpenVPN server-side DHCP server
# to receive their IP address allocation
# and DNS server addresses. You must first use
# your OS's bridging capability to bridge the TAP
# interface with the ethernet NIC interface.
# Note: this mode only works on clients (such as
# Windows), where the client-side TAP adapter is
# bound to a DHCP client.
;server-bridge
Any advice would be appreciated. I'm willing to try any combination of
ipfw vs. pf or natd vs. ipfw_nat or whatever if it will allow clients to
see the WAN. TIA!
More information about the freebsd-questions
mailing list