On Sun, Nov 10, 2019 at 5:27 PM Morgan Wesström < freebsd-datab...@pp.dyndns.biz> wrote:
> > Do packets with 10.8.0.x addresses ever actually make it on the wire > > between the router and the OpenVPN server? I was under the impression > that > > the encrypted packets created a tunnel at which the IP address is only > > known at the endpoints, which means the OpenVPN client and server > > processes, and nothing in between has any access to anything that is > going > > on within the tunnel. If this is the case, I wouldn't think the router > > needs to know how to deal with 10.8.0.x packets. > > > > Furthermore, this pretty much HAS to be the case. The 10.8.0.x addresses > > can't be routed across the internet, so the only way they could exist on > my > > private network would be as a result of NATing on the part of the router, > > and I'm pretty sure this isn't happening. > > > > But then this re-opens the question of how the connection happens between > > the server end of the tunnel (10.8.0.1) and the public interface at > > 192.168.1.200. It would seem that there needs to be some routing > > information within OpenVPN that makes that connection. > > > > Am I way off here? > > > > Phil > > Look at it this way. The VPN software has the same effect as if the > client was located in your house and directly connected with a cable to > your 10.8.0.0/24 subnet. Any configuration to support this must be done > on the FreeBSD machine as well as your router. The router will > definitely see the 10.8.0.0/24 addresses on its LAN interface but as you > note, these addresses will never show up on the external interface. Your > NAT will exchange these addresses on the fly and any traffic between the > OpenVPN endpoints will be encrypted and encapsulated in another ip > packet where only the external public ip addresses are shown. > > At this point I started to write a detailed description of how a packet > is transferred from your client over the VPN tunnel and then onto the > Internet and to its destination but it got overly complicated and > probably won't help you at this point. :) Let's instead start to get > some more info from your network. When your client is connected, can you > please provide the output of the following commands on both the client > and the FreeBSD machine? > > # ifconfig -a > > # netstat -rn > > I need to see how the ip stack is configured on each machine and how the > routing tables look. > > OK. Here it comes: root@threepio:/usr/local/etc/openvpn # netstat -rn Routing tables Internet: Destination Gateway Flags Netif Expire default 192.168.1.1 UGS em0 10.8.0.0/24 10.8.0.2 UGS tun0 10.8.0.1 link#4 UHS lo0 10.8.0.2 link#4 UH tun0 127.0.0.1 lo0 UHS lo0 192.168.1.0/24 link#1 U em0 192.168.1.200 link#1 UHS lo0 192.168.1.201 link#1 UHS lo0 Internet6: Destination Gateway Flags Netif Expire ::/96 ::1 UGRS lo0 ::1 lo0 UHS lo0 ::ffff:0.0.0.0/96 ::1 UGRS lo0 fe80::/10 ::1 UGRS lo0 fe80::%lo0/64 link#2 U lo0 fe80::1%lo0 link#2 UHS lo0 fe80::%tun0/64 link#4 U tun0 fe80::6a05:caff:fe3b:a7c7%tun0 link#4 UHS lo0 ff02::/16 ::1 UGRS lo0 root@threepio:/usr/local/etc/openvpn # ifconfig -a em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=81249b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LRO,WOL_MAGIC,VLAN_HWFILTER> ether 68:05:ca:3b:a7:c7 inet 192.168.1.200 netmask 0xffffff00 broadcast 192.168.1.255 inet 192.168.1.201 netmask 0xffffff00 broadcast 192.168.1.255 media: Ethernet autoselect (1000baseT <full-duplex>) status: active nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 groups: lo nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> lo1: flags=8008<LOOPBACK,MULTICAST> metric 0 mtu 16384 options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> groups: lo nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500 options=80000<LINKSTATE> inet6 fe80::6a05:caff:fe3b:a7c7%tun0 prefixlen 64 scopeid 0x4 inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff groups: tun nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> Opened by PID 15992 _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org" > -- Phil Staub p...@staub.us _______________________________________________ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"