[CDBUG-talk] OpenVPN with NAT (fwd)

Decker, Ryan C. rdecker at siena.edu
Tue Feb 24 09:32:35 EST 2015

So you are running openvpn in the colo and trying to get to the internet
while connected to it? if so i would run tcpdump with -n on the WAN
interface of the server and see if you still see the tunnel ip addresses
( If you still see the ip address then the NAT isn't
working. The line from tcpdump that you posted is fine and that is what i
would have expected to see on the tun interface of the server but that is
only half of the battle. I have not done this with natd and ipfw but i can
send you pf configurations if you just want it to work.

Ryan Decker
Siena College ITS

On Mon, Feb 23, 2015 at 6:27 PM, <freebsd at fongaboo.com> wrote:

> OK I think I discovered one rookie move... While I enabled the gateway
> interface in /etc/rc.conf, this whole time when I was initiating natd, I
> was forgetting -n, so I wasn't actually specifying a WAN interface during
> all these tests.
> I've corrected that, but still no cigar. I connected my client machine and
> gateway redirection is activated. I ran tcpdump on tun0 on the server. Then
> on the client I try to browse to my colo's IP address with lynx  and this
> is what I get:
> 18:22:41.956903 IP > helix.wtfayla.net.http: Flags [S],
> seq 103149988, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val
> 237585708 ecr 0], length 0
> Lynx ultimately fails. Not sure what to get out of that tcpdump output.
> And is it only half the picture? Do I have to dump/grep the WAN interface
> somehow too?
> Danke!
> On Mon, 23 Feb 2015, Patrick Muldoon wrote:
>  On Feb 23, 2015, at 4:24 PM, freebsd at fongaboo.com wrote:
>>> Any of my Upstate peeps have any advice for me? Trying to run OpenVPN
>>> server on my colo, and route clients to the Internet through it. Can't get
>>> it to NAT the VPN clients to the server's WAN interface (with NATD/IPFW at
>>> least).
>> Have you found where it is failing?     for example if you sniff can you
>> see all your packets making it to the box, and then just failing nat?? or
>> do they not even get redirected there?
>> --
>> Patrick Muldoon
>> Network/Software Engineer
>> INOC (http://www.inoc.net)
>> If at first you don't succeed, call it version 1.0
>>  _______________________________________________
> CDBUG-talk mailing list
> CDBUG-talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/cdbug-talk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nycbug.org/pipermail/cdbug-talk/attachments/20150224/3581dd1d/attachment-0001.html>

More information about the CDBUG-talk mailing list