[CDBUG-talk] OpenVPN with NAT (fwd)

Decker, Ryan C. rdecker at siena.edu
Tue Feb 24 09:32:35 EST 2015


So you are running openvpn in the colo and trying to get to the internet
while connected to it? if so i would run tcpdump with -n on the WAN
interface of the server and see if you still see the tunnel ip addresses
(10.8.0.10). If you still see the 10.8.0.10 ip address then the NAT isn't
working. The line from tcpdump that you posted is fine and that is what i
would have expected to see on the tun interface of the server but that is
only half of the battle. I have not done this with natd and ipfw but i can
send you pf configurations if you just want it to work.





-------------------
Ryan Decker
Siena College ITS

On Mon, Feb 23, 2015 at 6:27 PM, <freebsd at fongaboo.com> wrote:

>
> OK I think I discovered one rookie move... While I enabled the gateway
> interface in /etc/rc.conf, this whole time when I was initiating natd, I
> was forgetting -n, so I wasn't actually specifying a WAN interface during
> all these tests.
>
> I've corrected that, but still no cigar. I connected my client machine and
> gateway redirection is activated. I ran tcpdump on tun0 on the server. Then
> on the client I try to browse to my colo's IP address with lynx  and this
> is what I get:
>
> 18:22:41.956903 IP 10.8.0.10.61548 > helix.wtfayla.net.http: Flags [S],
> seq 103149988, win 65535, options [mss 1368,nop,wscale 6,sackOK,TS val
> 237585708 ecr 0], length 0
>
>
> Lynx ultimately fails. Not sure what to get out of that tcpdump output.
> And is it only half the picture? Do I have to dump/grep the WAN interface
> somehow too?
>
>
> Danke!
>
>
>
> On Mon, 23 Feb 2015, Patrick Muldoon wrote:
>
>  On Feb 23, 2015, at 4:24 PM, freebsd at fongaboo.com wrote:
>>>
>>>
>>> Any of my Upstate peeps have any advice for me? Trying to run OpenVPN
>>> server on my colo, and route clients to the Internet through it. Can't get
>>> it to NAT the VPN clients to the server's WAN interface (with NATD/IPFW at
>>> least).
>>>
>>
>> Have you found where it is failing?     for example if you sniff can you
>> see all your packets making it to the box, and then just failing nat?? or
>> do they not even get redirected there?
>>
>>
>> --
>> Patrick Muldoon
>> Network/Software Engineer
>> INOC (http://www.inoc.net)
>>
>> If at first you don't succeed, call it version 1.0
>>
>>
>>  _______________________________________________
> CDBUG-talk mailing list
> CDBUG-talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/cdbug-talk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nycbug.org/pipermail/cdbug-talk/attachments/20150224/3581dd1d/attachment-0001.html>


More information about the CDBUG-talk mailing list