Re: NAT for use with OpenVPN

On Wed, Nov 13, 2019 at 6:19 PM Phil Staub wrote: > > > On Wed, Nov 13, 2019 at 5:37 PM Morgan Wesström < > freebsd-datab...@pp.dyndns.biz> wrote: > >> > See my follow up message. It's the SNAT directive. The tutorial I was >> > looking at was >> > >> >

Re: NAT for use with OpenVPN

On Wed, Nov 13, 2019 at 5:37 PM Morgan Wesström < freebsd-datab...@pp.dyndns.biz> wrote: > > See my follow up message. It's the SNAT directive. The tutorial I was > > looking at was > > > > https://www.karlrupp.net/en/computer/nat_tutorial > > Well, I'm too inexperienced with iptables to give you

Re: NAT for use with OpenVPN

See my follow up message. It's the SNAT directive. The tutorial I was looking at was https://www.karlrupp.net/en/computer/nat_tutorial Well, I'm too inexperienced with iptables to give you and advice here unfortunately. Definitely. I assume the way to test that would be to attempt to

Re: NAT for use with OpenVPN

On Wed, Nov 13, 2019 at 4:13 PM Morgan Wesström < freebsd-datab...@pp.dyndns.biz> wrote: > > |iptables --table nat --append POSTROUTING --out-interface eth0 -j > > MASQUERADE > > As I understand iptables, this is the normal/only way to provide NAT for > any subnet. > > > ||One of the comments in

Re: NAT for use with OpenVPN

|iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE As I understand iptables, this is the normal/only way to provide NAT for any subnet. ||One of the comments in another tutorial I was reading says that the MASQUERADE rule is resource intensive, but if I understand

Re: NAT for use with OpenVPN

On Wed, Nov 13, 2019 at 3:45 PM Phil Staub wrote: > I believe I'm getting close. > > I found a tutorial at > > https://www.howtoforge.com/nat_iptables > > ... that gives identifies a couple rules to enable IP Forwarding and > Masquerading: > > iptables --table nat --append POSTROUTING

Re: NAT for use with OpenVPN

I believe I'm getting close. I found a tutorial at https://www.howtoforge.com/nat_iptables ... that gives identifies a couple rules to enable IP Forwarding and Masquerading: iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE iptables --append FORWARD --in-interface

Re: NAT for use with OpenVPN

# tcpdump -nvvi eth0 icmp tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 15:22:29.614953 IP (tos 0x0, ttl 62, id 5638, offset 0, flags [DF], proto ICMP (1), length 84)     10.8.0.8 > 8.8.8.8 : ICMP echo request, id 13, seq 1, length 64 Are

Re: NAT for use with OpenVPN

On Wed, Nov 13, 2019 at 10:12 AM Morgan Wesström < freebsd-datab...@pp.dyndns.biz> wrote: > > # tcpdump -nvvi br0 icmp > > eth0 is your external interface so try: > > # tcpdump -ni eth0 icmp > > Then ping 8.8.8.8 from your VPN client and see what shows up. > > br0 is a virtual bridge interface.

Re: NAT for use with OpenVPN

 # tcpdump -nvvi br0 icmp eth0 is your external interface so try: # tcpdump -ni eth0 icmp Then ping 8.8.8.8 from your VPN client and see what shows up. br0 is a virtual bridge interface. This is what they use to connect your internal interface and your wlan interface together (and maybe

Re: NAT for use with OpenVPN

On 2019-11-13 01:42, Phil Staub wrote: Hey, it's about time something went our way. tcpdump is there. Here's what I get: # tcpdump -ni any icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535

Re: NAT for use with OpenVPN

Something else I just realized: You'll note the route from 10.8.0.0/24 and 192.168.1.200. That's the static route I added from the web interface.. Is that something you think would be needed? Absolutely. When your VPN clients try to access the Internet, the router will

Re: NAT for use with OpenVPN

On 2019-11-12 23:53, Phil Staub wrote: New development: In the process of tracking down installation of the DD-WRT firmware, I found out how to get a command line interface to the router. It involves sending a special enable packet to the gateway address and then telnetting into it.

Re: NAT for use with OpenVPN

This makes me smile! :-) Hehe, I didn't intentionally try to insult you. Just wasn't sure of your background. :) Personally I started off with IBM DOS 1.0 in the mid 80s and worked as a PC/network technician for 30 years. I'll never let go of my beloved command prompt. Back to business

Re: NAT for use with OpenVPN

I understand what you're saying here. I had hoped this wouldn't be a problem, since I didn't have a problem with the VPN in my old router, though I agree that this is NOT the same configuration. NAT is usually only applied to packets arriving/departing on the physical external interface. When

Re: Fwd: Fwd: NAT for use with OpenVPN

On Tue, Nov 12, 2019 at 4:35 AM Morgan Wesström < freebsd-datab...@pp.dyndns.biz> wrote: > > Wireless LAN adapter Wi-Fi: > > > > IPv4 Address. . . . . . . . . . . : 192.168.1.5(Preferred) > > I think I've spotted the problem. You're laptop is hooked up to your > local LAN. The NAT in your

Re: Fwd: Fwd: NAT for use with OpenVPN

Wireless LAN adapter Wi-Fi: IPv4 Address. . . . . . . . . . . : 192.168.1.5(Preferred) I think I've spotted the problem. You're laptop is hooked up to your local LAN. The NAT in your router can not normally "wrap around" packets destined to its WAN side and then apply NAT to them, which

Fwd: Fwd: NAT for use with OpenVPN

-- Forwarded message - From: Phil Staub Date: Mon, Nov 11, 2019 at 8:47 PM Subject: Re: Fwd: NAT for use with OpenVPN To: Morgan Wesström On Mon, Nov 11, 2019 at 5:15 PM Morgan Wesström < freebsd-datab...@pp.dyndns.biz> wrote: > Phil, > > I did some more te

Re: Fwd: NAT for use with OpenVPN

Phil, I did some more testing in my own environment and you should be able to ping the following addresses from your connected client. It probably breaks down at some point and you need to tell me where: 10.8.0.6 (or whatever ip your vpn client receives) 10.8.0.1 (server endpoint of vpn

Re: Fwd: NAT for use with OpenVPN

OK. Here it comes: root@threepio:/usr/local/etc/openvpn # netstat -rn Routing tables That machine looks good. I can't spot anything wrong on that side. Can you also check the output of "sysctl net.inet.ip.forwarding" and make sure it's set to 1. This is what gateway_enable=YES should do.

Re: Fwd: NAT for use with OpenVPN

On Sun, Nov 10, 2019 at 5:27 PM Morgan Wesström < freebsd-datab...@pp.dyndns.biz> wrote: > > Do packets with 10.8.0.x addresses ever actually make it on the wire > > between the router and the OpenVPN server? I was under the impression > that > > the encrypted packets created a tunnel at which

Re: Fwd: NAT for use with OpenVPN

Do packets with 10.8.0.x addresses ever actually make it on the wire between the router and the OpenVPN server? I was under the impression that the encrypted packets created a tunnel at which the IP address is only known at the endpoints, which means the OpenVPN client and server processes, and

Fwd: NAT for use with OpenVPN

-- Forwarded message - From: Phil Staub Date: Sun, Nov 10, 2019 at 4:22 PM Subject: Re: NAT for use with OpenVPN To: Morgan Wesström On Sun, Nov 10, 2019 at 10:34 AM Morgan Wesström < freebsd-datab...@pp.dyndns.biz> wrote: > > One additional thing. If you by any

Re: NAT for use with OpenVPN

One additional thing. If you by any chance want to communicate with any of the other machines on your LAN from the VPN clients (not just Internet access), you need to add a static route for 10.8.0.0/24 pointing to 192.168.1.200 IN YOUR NETGEAR ROUTER or they won't know where to send their

Re: NAT for use with OpenVPN

Phil, I forgot... OpenVPN needs its own subnet in the config file. Make sure you don't use the same subnet as your LAN uses because that would confuse the routing and could result in the behaviour you describe in your initial post. Data would reach the server but return packets wouldn't find

Re: NAT for use with OpenVPN

Internet -> Arris 6141 modem -> Netgear R6400.2 router/firewall -> threepio.mynetgear.com (FreeBSD) Ah, you have a standalone SOHO router. That changes things drastically. :) I assume the computers on your LAN (including FreeBSD) have private IP addresses (192.168.x.x)? In that case your

Re: NAT for use with OpenVPN

Looks like I spoke too soon that I had it working. See comments inline, including a note to Morgan Wesstrom. On Sat, Nov 9, 2019 at 2:02 PM Phil Staub wrote: > Further investigation suggests that I needed to add client-config-dir to > my OpenVPN server.conf file and create a client file with

Re: NAT for use with OpenVPN

I was hoping someone more experienced than myself would chip in and help you but since I run a similar setup I'll show you my configuration. I'm not perfectly clear on your physical network layout so you have to adapt my suggestions as needed. I run my OpenVPN server on the same physical

Re: NAT for use with OpenVPN

Further investigation suggests that I needed to add client-config-dir to my OpenVPN server.conf file and create a client file with ifconfig-push in it to eliminate the 'bad source address" warning. However, I am still unable to get the NAT to work. I've been staring at the PF chapter in the

NAT for use with OpenVPN

I'm attempting to set up OpenVPN on a FreeBSD 12.1-RELEASE box. I'd like for it to allow remote clients to access the internet via the server box's connection. It appears that OpenVPN is working, because new connections are logged, but I also get this message in the log: Thu Nov 7 15:43:17 2019