STUMPED: Setting up OpenVPN server on FreeBSD (self.freebsd)
freebsd at fongaboo.com
Mon Aug 28 00:39:38 UTC 2017
On Sun, 27 Aug 2017, Ian Smith wrote:
> I know next to nothing about OpenVPN - though the digitalocean tutorial
> looks pretty thorough on the surface - and absolutely nothing about AWS,
> but do know a bit about ipfw and friends.
Yeah I figured this was more a pure Firewall and routing issue contextual
to FreeBSD than anything OpenVPN-specific.
> Your changing of the default firewall_script from /etc/rc.firewall to
> "/usr/local/etc/ipfw.rules" suggests that you've been unfortunately
> illadvised by the still-dreadful IPFW section in the handbook, written
> by someone who uses ipfilter. Rely on /etc/rc.firewall and ipfw(8) for
> accurate information on using ipfw.
I'm not sure what you mean by 'Rely on /etc/rc.firewall and ipfw(8)". Are
these files in FreeBSD to refer to? Or are you talking about the
respective handbook entries for these things?
> I note that the digitalocean tute did not make that mistake, though it
> would be more up-to-date to use firewall_nat_enable rather than natd(8),
> however natd works as well as ever, if a bit more slowly (extra process)
> So .. firewall_type="open" is a parameter to whatever firewall_script.
> /etc/rc.firewall uses that to generate an open firewall, i.e. inserting
> 'pass all from any to any', overriding the default 'deny all from any
> to any'. You didn't show your ipfw.rules, but I doubt it parses 'open'
> as a parameter - so it would not be surprising if you were locked out.
So when I eliminate 'firewall_script="/usr/local/etc/ipfw.rules"' what is
IPFW using for its rules?
> > gateway_enable="YES"
> > natd_enable="YES"
> > natd_interface="xn0"
> > natd_flags="-dynamic -m"
> > rc.conf (revised for ipfw_nat):
> > #enable firewall
> > firewall_enable="YES"
> > firewall_script="/usr/local/etc/ipfw.rules"
> > firewall_type="open"
> Same problem here. Comment out that firewall_script line to get the
> default, as shown in /etc/defaults/rc.conf
> > firewall_nat_enable="YES"
> > firewall_nat_interface="xn0"
> > gateway_enable="YES"
> You'll likely need some firewall_nat_flags as well. See rc.firewall for
> NAT setup (natd or firewall_nat) with 'open' or 'client' rulesets.
> > #natd_enable="YES"
> > #natd_interface="xn0"
> > #natd_flags="-dynamic -m"
> > *xn0 = external interface of the server
> > Neither config allows Internet access.
> Try it with the default firewall_script, for a proper open firewall,
> that you can condition to suit once your VPN stuff is all working.
So in short, you think 'firewall_nat_enable' and a combination of some
firewall_nat_flags will accomplish the gateway redirection to the WAN?
Just want to make sure I'm following correctly.
> pf is fine too of course, properly configured, but I hate seeing people
> quit using ipfw because of some truly bad advice from >10 years ago :(
> As for this thread in general, it'd be really nice if people would not
> re-re-quote long messages including tcpdumps to add one-line comments,
> whether top- or bottom-posted - this digest was five times normal size.
> cheers, Ian
> freebsd-questions at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions