OpenVPN with NAT
freebsd at fongaboo.com
freebsd at fongaboo.com
Sun Feb 22 18:31:52 UTC 2015
Have a FreeBSD 10 box I have set up with OpenVPN. I've gotten it working,
terminating at the server, with both a FreeBSD and a Windows client.
Now I am trying to route Internet traffic through the VPN and out the
server's gateway. From what I have read, it involves:
1) Configuring the FreeBSD server to be a gateway router:
gateway_enable="YES" (in /etc/rc.conf)
2) Enabling gateway redirection in OpenVPN on the server:
push "redirect-gateway def1 bypass-dhcp" (in /usr/local/etc/openvpn/openvpn.conf)
3) NAT'ing the OpenVPN clients to the WAN interface of the server:
From what I've read, this can be done three ways:
A) Using IPFW and NATD
B) Using IPFW and kernel-based NAT
C) Using NAT functions in PF
At the moment, I don't really want to go for option C, although open to it
in the long-run. But switching to PF would require getting myself, and
others working on this box, up to speed on PF... and recreating all my
existing IPFW rules in PF.
I've tried Option B, by entering IPFW rules such as:
ipfw nat 1 config if em0
ipfw add nat 1 all from 10.8.0.0/24 to any out via bge0
ipfw add nat 1 all from any to any in via bge0
And I've tried Option A by enabling NATD as described below in a post from
last month. Unlike that poster, I want ALL my clients to route out through
the VPN gateway. So I tried the 'unrefined' line as it is displayed below.
In all cases, the OpenVPN client does take over the gateway, but traffic
goes nowhere. Nothing seems to make it out the external interface and
back. NAT seems not to be succeeding no matter what I do. Any advice? TIA
On Mon, 26 Jan 2015, Polytropon wrote:
> On Mon, 26 Jan 2015 16:45:16 +0100, Luciano Mannucci wrote:
>> I have a freebsd machine (FreeBSD troika 10.1-RELEASE FreeBSD 10.1-RELEASE #0
>> r274401) with openvpn that works like a charm :-)...
>> I wish to nat one and only one of my openvpn clients, possibly for a
>> single destination. What's the better way to avoid disturbing the rest
>> of the operations?
>> Any clues?
>> Is IPFW my friend?
>
> Yes, that should work. In /etc/rc.conf, set
>
> natd_enable="YES"
> natd_interface="xl0"
>
> where "xl0" is the "outer" interface.
>
> In your custom /etc/ipfw.conf, add the rule
>
> add divert natd ip from any to any via xl0
>
> and refine the "from any to any" part to reflect the
> IP addresses (and maybe specific ports) for the connection
> you want to translate, so the rule will only allow for
> that _one_ destination you want to enable.
>
>
> --
> Polytropon
> Magdeburg, Germany
> Happy FreeBSD user since 4.0
> Andra moi ennepe, Mousa, ...
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
More information about the freebsd-questions
mailing list