freebsd-pf Digest, Vol 689, Issue 3
Morgan Wesström
freebsd-database at pp.dyndns.biz
Sun Nov 10 14:47:05 UTC 2019
> Yes. I know it's lazy, but I left the local subnet as the route default of
> 192.168.1.0/24. All of my local hosts are on that subnet. .
>
> I'm PARTIALLY in agreement here.The OpenVPN clients are being assigned
> 10.8.0.x addresses. Somehow, those addresses need to be translated into the
> OpenVPN server's address to provide their access to the internet.
> Here is my OpenVPN config:
>
Your OpenVPN config has a few lines I'd like to address. Unless you're
absolutely sure you know what you're doing and has a reason to use them
I'd suggest you remove the following three lines:
topology subnet
push "route 192.168.1.0 255.255.255.0"
route 10.8.0.0 255.255.255.0
The next thing you need to check is that you have enabled routing in
FreeBSD so it will forward packets between your LAN subnet
192.168.1.0/24 and the OpenVPN subnet 10.8.0.0/24. (You do not need NAT
here although I suppose it would be theoretically possible. The thought
has never occurred to me to be honest. I would not recommend it though.)
/etc/rc.conf
gateway_enable="YES"
Either restart FreeBSD after this or type "service routing start".
One additional thing. If you by any chance want to communicate with any
of the other machines on your LAN from the VPN clients (not just
Internet access), you need to add a static route for 10.8.0.0/24
pointing to 192.168.1.200 IN YOUR NETGEAR ROUTER or they won't know
where to send their replies. Preferably you'd add such a route to each
of your LAN machines but it's not strictly necessary since they will
send any 10.8.0.0/24 packets to your router which then will route it
back properly to your FreeBSD machine. This shouldn't be needed for the
basic OpenVPN communication though since as far as your router is
concerned, this only involves pushing udp packets to 192.168.1.200 and
it already knows how to reach that ip.
Your setup differs from mine so I may have forgotten something here but
start with these changes and we'll see what happens.
/Morgan
More information about the freebsd-pf
mailing list