[CDBUG-talk] OpenVPN with NAT (fwd)
freebsd at fongaboo.com
freebsd at fongaboo.com
Mon Feb 23 16:24:18 EST 2015
Any of my Upstate peeps have any advice for me? Trying to run OpenVPN
server on my colo, and route clients to the Internet through it. Can't get
it to NAT the VPN clients to the server's WAN interface (with NATD/IPFW at
least).
TIA
---------- Forwarded message ----------
Date: Sun, 22 Feb 2015 13:30:17 -0500 (EST)
From: freebsd at fongaboo.com
To: freebsd-questions at freebsd.org
Subject: OpenVPN with NAT
Have a FreeBSD 10 box I have set up with OpenVPN. I've gotten it working,
terminating at the server, with both a FreeBSD and a Windows client.
Now I am trying to route Internet traffic through the VPN and out the server's
gateway. From what I have read, it involves:
1) Configuring the FreeBSD server to be a gateway router:
gateway_enable="YES" (in /etc/rc.conf)
2) Enabling gateway redirection in OpenVPN on the server:
push "redirect-gateway def1 bypass-dhcp" (in
/usr/local/etc/openvpn/openvpn.conf)
3) NAT'ing the OpenVPN clients to the WAN interface of the server:
From what I've read, this can be done three ways:
A) Using IPFW and NATD
B) Using IPFW and kernel-based NAT
C) Using NAT functions in PF
At the moment, I don't really want to go for option C, although open to it in
the long-run. But switching to PF would require getting myself, and others
working on this box, up to speed on PF... and recreating all my existing IPFW
rules in PF.
I've tried Option B, by entering IPFW rules such as:
ipfw nat 1 config if em0
ipfw add nat 1 all from 10.8.0.0/24 to any out via bge0
ipfw add nat 1 all from any to any in via bge0
And I've tried Option A by enabling NATD as described below in a post from last
month. Unlike that poster, I want ALL my clients to route out through the VPN
gateway. So I tried the 'unrefined' line as it is displayed below.
In all cases, the OpenVPN client does take over the gateway, but traffic goes
nowhere. Nothing seems to make it out the external interface and back. NAT
seems not to be succeeding no matter what I do. Any advice? TIA
On Mon, 26 Jan 2015, Polytropon wrote:
> On Mon, 26 Jan 2015 16:45:16 +0100, Luciano Mannucci wrote:
>> I have a freebsd machine (FreeBSD troika 10.1-RELEASE FreeBSD 10.1-RELEASE
>> #0
>> r274401) with openvpn that works like a charm :-)...
>> I wish to nat one and only one of my openvpn clients, possibly for a
>> single destination. What's the better way to avoid disturbing the rest
>> of the operations?
>> Any clues?
>> Is IPFW my friend?
>
> Yes, that should work. In /etc/rc.conf, set
>
> natd_enable="YES"
> natd_interface="xl0"
>
> where "xl0" is the "outer" interface.
>
> In your custom /etc/ipfw.conf, add the rule
>
> add divert natd ip from any to any via xl0
>
> and refine the "from any to any" part to reflect the
> IP addresses (and maybe specific ports) for the connection
> you want to translate, so the rule will only allow for
> that _one_ destination you want to enable.
>
>
> --
> Polytropon
> Magdeburg, Germany
> Happy FreeBSD user since 4.0
> Andra moi ennepe, Mousa, ...
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the CDBUG-talk
mailing list