OpenVPN with NAT

freebsd at fongaboo.com freebsd at fongaboo.com
Sun Feb 22 18:31:52 UTC 2015


Have a FreeBSD 10 box I have set up with OpenVPN. I've gotten it working, 
terminating at the server, with both a FreeBSD and a Windows client.

Now I am trying to route Internet traffic through the VPN and out the 
server's gateway. From what I have read, it involves:

1) Configuring the FreeBSD server to be a gateway router:

 	gateway_enable="YES" (in /etc/rc.conf)

2) Enabling gateway redirection in OpenVPN on the server:

 	push "redirect-gateway def1 bypass-dhcp" (in /usr/local/etc/openvpn/openvpn.conf)

3) NAT'ing the OpenVPN clients to the WAN interface of the server:

 	From what I've read, this can be done three ways:

 	A) Using IPFW and NATD

 	B) Using IPFW and kernel-based NAT

 	C) Using NAT functions in PF


At the moment, I don't really want to go for option C, although open to it 
in the long-run. But switching to PF would require getting myself, and 
others working on this box, up to speed on PF... and recreating all my 
existing IPFW rules in PF.

I've tried Option B, by entering IPFW rules such as:

 	ipfw nat 1 config if em0
 	ipfw add nat 1 all from 10.8.0.0/24 to any out via bge0
 	ipfw add nat 1 all from any to any in via bge0

And I've tried Option A by enabling NATD as described below in a post from 
last month. Unlike that poster, I want ALL my clients to route out through 
the VPN gateway. So I tried the 'unrefined' line as it is displayed below.

In all cases, the OpenVPN client does take over the gateway, but traffic 
goes nowhere. Nothing seems to make it out the external interface and 
back. NAT seems not to be succeeding no matter what I do. Any advice? TIA


On Mon, 26 Jan 2015, Polytropon wrote:

> On Mon, 26 Jan 2015 16:45:16 +0100, Luciano Mannucci wrote:
>> I have a freebsd machine (FreeBSD troika 10.1-RELEASE FreeBSD 10.1-RELEASE #0
>> r274401) with openvpn that works like a charm :-)...
>> I wish to nat one and only one of my openvpn clients, possibly for a
>> single destination. What's the better way to avoid disturbing the rest
>> of the operations?
>> Any clues?
>> Is IPFW my friend?
>
> Yes, that should work. In /etc/rc.conf, set
>
> 	natd_enable="YES"
> 	natd_interface="xl0"
>
> where "xl0" is the "outer" interface.
>
> In your custom /etc/ipfw.conf, add the rule
>
> 	add divert natd ip from any to any via xl0
>
> and refine the "from any to any" part to reflect the
> IP addresses (and maybe specific ports) for the connection
> you want to translate, so the rule will only allow for
> that _one_ destination you want to enable.
>
>
> -- 
> Polytropon
> Magdeburg, Germany
> Happy FreeBSD user since 4.0
> Andra moi ennepe, Mousa, ...
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>


More information about the freebsd-questions mailing list