STUMPED: Setting up OpenVPN server on FreeBSD (self.freebsd)

Fongaboo freebsd at
Mon Aug 28 00:39:38 UTC 2017

On Sun, 27 Aug 2017, Ian Smith wrote:

> I know next to nothing about OpenVPN - though the digitalocean tutorial
> looks pretty thorough on the surface - and absolutely nothing about AWS,
> but do know a bit about ipfw and friends.

Yeah I figured this was more a pure Firewall and routing issue contextual 
to FreeBSD than anything OpenVPN-specific.

> Your changing of the default firewall_script from /etc/rc.firewall to
> "/usr/local/etc/ipfw.rules" suggests that you've been unfortunately
> illadvised by the still-dreadful IPFW section in the handbook, written
> by someone who uses ipfilter.  Rely on /etc/rc.firewall and ipfw(8) for
> accurate information on using ipfw.

I'm not sure what you mean by 'Rely on /etc/rc.firewall and ipfw(8)". Are 
these files in FreeBSD to refer to? Or are you talking about the 
respective handbook entries for these things?

> I note that the digitalocean tute did not make that mistake, though it
> would be more up-to-date to use firewall_nat_enable rather than natd(8),
> however natd works as well as ever, if a bit more slowly (extra process)
> So .. firewall_type="open" is a parameter to whatever firewall_script.
> /etc/rc.firewall uses that to generate an open firewall, i.e. inserting
> 'pass all from any to any', overriding the default 'deny all from any
> to any'.  You didn't show your ipfw.rules, but I doubt it parses 'open'
> as a parameter - so it would not be surprising if you were locked out.

So when I eliminate 'firewall_script="/usr/local/etc/ipfw.rules"' what is 
IPFW using for its rules?

> > gateway_enable="YES"
> > natd_enable="YES"
> > natd_interface="xn0"
> > natd_flags="-dynamic -m"
> >
> > rc.conf (revised for ipfw_nat):
> >
> > #enable firewall
> > firewall_enable="YES"
> > firewall_script="/usr/local/etc/ipfw.rules"
> > firewall_type="open"
> Same problem here.  Comment out that firewall_script line to get the
> default, as shown in /etc/defaults/rc.conf
> > firewall_nat_enable="YES"
> > firewall_nat_interface="xn0"
> >
> > gateway_enable="YES"
> You'll likely need some firewall_nat_flags as well.  See rc.firewall for
> NAT setup (natd or firewall_nat) with 'open' or 'client' rulesets.
> > #natd_enable="YES"
> > #natd_interface="xn0"
> > #natd_flags="-dynamic -m"
> >
> > *xn0 = external interface of the server
> >
> > Neither config allows Internet access.
> Try it with the default firewall_script, for a proper open firewall,
> that you can condition to suit once your VPN stuff is all working.

So in short, you think 'firewall_nat_enable' and a combination of some 
firewall_nat_flags will accomplish the gateway redirection to the WAN? 
Just want to make sure I'm following correctly.

> pf is fine too of course, properly configured, but I hate seeing people
> quit using ipfw because of some truly bad advice from >10 years ago :(
> As for this thread in general, it'd be really nice if people would not
> re-re-quote long messages including tcpdumps to add one-line comments,
> whether top- or bottom-posted - this digest was five times normal size.
> cheers, Ian
> _______________________________________________
> freebsd-questions at mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at"

More information about the freebsd-questions mailing list