STUMPED: Setting up OpenVPN server on FreeBSD (self.freebsd)
smithi at nimnet.asn.au
Sun Aug 27 07:42:53 UTC 2017
In freebsd-questions Digest, Vol 690, Issue 7, Message: 2
On Sat, 26 Aug 2017 09:03:07 -0400 (EDT) Fongaboo <freebsd at fongaboo.com> wrote:
> I'm following this tutorial:
> Trying this on an AWS instance first and then planning to try on a bare metal colo server.
> OpenVPN client and daemon seem to be working, in terms of handshaking and
> connecting with each other. Problem is, no matter what I do, connected
> clients can't get out to the Internet through the server's gateway
> I've tried setting up NATD, like the tutorial instructs. I've tried
> enabling ipfw_nat as described in this comment:
> rc.conf (for NATD):
> #enable firewall
I know next to nothing about OpenVPN - though the digitalocean tutorial
looks pretty thorough on the surface - and absolutely nothing about AWS,
but do know a bit about ipfw and friends.
Your changing of the default firewall_script from /etc/rc.firewall to
"/usr/local/etc/ipfw.rules" suggests that you've been unfortunately
illadvised by the still-dreadful IPFW section in the handbook, written
by someone who uses ipfilter. Rely on /etc/rc.firewall and ipfw(8) for
accurate information on using ipfw.
I note that the digitalocean tute did not make that mistake, though it
would be more up-to-date to use firewall_nat_enable rather than natd(8),
however natd works as well as ever, if a bit more slowly (extra process)
So .. firewall_type="open" is a parameter to whatever firewall_script.
/etc/rc.firewall uses that to generate an open firewall, i.e. inserting
'pass all from any to any', overriding the default 'deny all from any
to any'. You didn't show your ipfw.rules, but I doubt it parses 'open'
as a parameter - so it would not be surprising if you were locked out.
> natd_flags="-dynamic -m"
> rc.conf (revised for ipfw_nat):
> #enable firewall
Same problem here. Comment out that firewall_script line to get the
default, as shown in /etc/defaults/rc.conf
You'll likely need some firewall_nat_flags as well. See rc.firewall for
NAT setup (natd or firewall_nat) with 'open' or 'client' rulesets.
> #natd_flags="-dynamic -m"
> *xn0 = external interface of the server
> Neither config allows Internet access.
Try it with the default firewall_script, for a proper open firewall,
that you can condition to suit once your VPN stuff is all working.
pf is fine too of course, properly configured, but I hate seeing people
quit using ipfw because of some truly bad advice from >10 years ago :(
As for this thread in general, it'd be really nice if people would not
re-re-quote long messages including tcpdumps to add one-line comments,
whether top- or bottom-posted - this digest was five times normal size.
More information about the freebsd-questions