STUMPED: Setting up OpenVPN server on FreeBSD (self.freebsd)

Ian Smith smithi at
Mon Aug 28 06:19:09 UTC 2017

Argh, I take the digest and you didn't cc me on this one, so having to 
insert your message from the web archive and manually quote, this might
get messy .. but the digest won't be here for 6 hours, so I'll try.

 > On Mon Aug 28 00:39:38 UTC 2017 Fongaboo wrote:
 > On Sun, 27 Aug 2017, Ian Smith wrote:
 > > I know next to nothing about OpenVPN - though the digitalocean tutorial
 > > looks pretty thorough on the surface - and absolutely nothing about AWS,
 > > but do know a bit about ipfw and friends.
 > Yeah I figured this was more a pure Firewall and routing issue contextual 
 > to FreeBSD than anything OpenVPN-specific.
 > > Your changing of the default firewall_script from /etc/rc.firewall to
 > > "/usr/local/etc/ipfw.rules" suggests that you've been unfortunately
 > > illadvised by the still-dreadful IPFW section in the handbook, written
 > > by someone who uses ipfilter.  Rely on /etc/rc.firewall and ipfw(8) for
 > > accurate information on using ipfw.
 > I'm not sure what you mean by 'Rely on /etc/rc.firewall and ipfw(8)". Are 
 > these files in FreeBSD to refer to? Or are you talking about the 
 > respective handbook entries for these things?

Yes, /etc/rc.firewall is a system supplied file.  ipfw(8) syntax refers 
to the ipfw manual, accessed by 'man ipfw', or more specifically 'man 8 
ipfw' being in section 8 of the manual pages.  You'll see that syntax 
used a lot in *BSD.  ipfw(8) is a very thorough manual, usually kept 
well up to date, unlike the handbook (in this instance).  It's quite 
large, but worth browsing at least once to see what's where with ipfw.

 > > I note that the digitalocean tute did not make that mistake, though it
 > > would be more up-to-date to use firewall_nat_enable rather than natd(8),
 > > however natd works as well as ever, if a bit more slowly (extra process)
 > >
 > > So .. firewall_type="open" is a parameter to whatever firewall_script.
 > > /etc/rc.firewall uses that to generate an open firewall, i.e. inserting
 > > 'pass all from any to any', overriding the default 'deny all from any
 > > to any'.  You didn't show your ipfw.rules, but I doubt it parses 'open'
 > > as a parameter - so it would not be surprising if you were locked out.
 > So when I eliminate 'firewall_script="/usr/local/etc/ipfw.rules"' what 
 > is IPFW using for its rules?

As mentioned below, refer to /etc/defaults/rc.conf.  You should at least 
read its first section which explains that these settings apply unless 
overridden by entries in /etc/rc.conf (or /etc/rc.conf.local).  In this 
case 'grep firewall /etc/defaults/rc.conf' shows all of the default ipfw 
settings, including:
firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall

So overriding that as you did, your ipfw.rules script was invoked 
instead, whatever you'd put in there.  If one of those from the handbook 
page, almost certainly containing errors or at least very poor practice, 
which I won't go into further (yet again :)

 > > > rc.conf (revised for ipfw_nat):
 > > >
 > > > #enable firewall
 > > > firewall_enable="YES"
 > > > firewall_script="/usr/local/etc/ipfw.rules"
 > > > firewall_type="open"
 > >
 > > Same problem here.  Comment out that firewall_script line to get the
 > > default, as shown in /etc/defaults/rc.conf

Sorry, that was a bit terse - but all you needed to do to get an open 
firewall that also performed NAT, with either natd(8) or firewall_nat.

 > > > firewall_nat_enable="YES"
 > > > firewall_nat_interface="xn0"
 > > >
 > > > gateway_enable="YES"
 > >
 > > You'll likely need some firewall_nat_flags as well.  See rc.firewall for
 > > NAT setup (natd or firewall_nat) with 'open' or 'client' rulesets.

For natd(8) you had: natd_flags="-dynamic -m".  The equivalent of those 
for firewall_nat_flags is shown in the ipfw(8) section "NETWORK ADDRESS 
TRANSLATION (NAT)" as "reset same_ports".  Or you could just use natd.

 > > Try it with the default firewall_script, for a proper open firewall,
 > > that you can condition to suit once your VPN stuff is all working.
 > So in short, you think 'firewall_nat_enable' and a combination of some 
 > firewall_nat_flags will accomplish the gateway redirection to the WAN? 
 > Just want to make sure I'm following correctly.

It should do, though I'm not familiar with the AWS setup you're using re 
inside and outside interfaces, whether bridging as well, etc.  I think 
Richard (Ultima) has and can provide much more useful advice about that.

My only other advice, from seeing your whole rc.conf, is perhaps don't 
enable so many servers (web, mail etc) until you have networking going.

 > > pf is fine too of course, properly configured, but I hate seeing people
 > > quit using ipfw because of some truly bad advice from >10 years ago :(

As you've seen, pf setup can have some tricky aspects too ..

cheers, Ian

More information about the freebsd-questions mailing list