STUMPED: Setting up OpenVPN server on FreeBSD (self.freebsd)

Adam Vande More amvandemore at gmail.com
Sat Aug 26 16:13:43 UTC 2017 

On Sat, Aug 26, 2017 at 8:03 AM, Fongaboo <freebsd at fongaboo.com> wrote:

>
> I'm following this tutorial:
>
> https://www.digitalocean.com/community/tutorials/how-to-conf
> igure-and-connect-to-a-private-openvpn-server-on-freebsd-10-1
>
> Trying this on an AWS instance first and then planning to try on a bare
> metal colo server.
>
> OpenVPN client and daemon seem to be working, in terms of handshaking and
> connecting with each other. Problem is, no matter what I do, connected
> clients can't get out to the Internet through the server's gateway
> interface.
>
> I've tried setting up NATD, like the tutorial instructs. I've tried
> enabling ipfw_nat as described in this comment:
>
> https://www.digitalocean.com/community/tutorials/how-to-conf
> igure-and-connect-to-a-private-openvpn-server-on-freebsd-10-
> 1?comment=40498
>
> rc.conf (for NATD):
>
> #enable firewall
> firewall_enable="YES"
> firewall_script="/usr/local/etc/ipfw.rules"
> firewall_type="open"
>
> gateway_enable="YES"
> natd_enable="YES"
> natd_interface="xn0"
> natd_flags="-dynamic -m"
>
> rc.conf (revised for ipfw_nat):
>
> #enable firewall
> firewall_enable="YES"
> firewall_script="/usr/local/etc/ipfw.rules"
> firewall_type="open"
> firewall_nat_enable="YES"
> firewall_nat_interface="xn0"
>
> gateway_enable="YES"
> #natd_enable="YES"
> #natd_interface="xn0"
> #natd_flags="-dynamic -m"
>
> *xn0 = external interface of the server
>
> Neither config allows Internet access. I have this line enabled in
> /usr/local/etc/openvpn/openvpn.conf:
>
> push "redirect-gateway def1 bypass-dhcp"
>
> Perhaps this is part of the solution?:
>
> # Configure server mode for ethernet bridging
> # using a DHCP-proxy, where clients talk
> # to the OpenVPN server-side DHCP server
> # to receive their IP address allocation
> # and DNS server addresses.  You must first use
> # your OS's bridging capability to bridge the TAP
> # interface with the ethernet NIC interface.
> # Note: this mode only works on clients (such as
> # Windows), where the client-side TAP adapter is
> # bound to a DHCP client.
> ;server-bridge
>
> Any advice would be appreciated. I'm willing to try any combination of
> ipfw vs. pf or natd vs. ipfw_nat or whatever if it will allow clients to
> see the WAN. TIA!
>

tcpdump and ipfw logs.

-- 
Adam

More information about the freebsd-questions mailing list