WiFi to VPN

cedric_france

cedric_france

Hi all,

Thank you for that nice forum. I've been using FreeBSD now for 20 years.

I'm trying to use FreeBSD 14 as a WiFi access point to a VPN.

This is the configuration I have:

FreeBSD_init.PNG


And this is what I want to do:

FreeBSD_WIFI_TUN_VPN.PNG


Need: I need a WiFi access point that goes directly to the VPN.
My problem is: Proton VPN creates a tun0 interface. This tun0 is net layer number 3 (IP), and it's not possible to bridge that tun0 to the WiFi interface. Bridges are net layer number 2 (Ethernet).
Question: how is it possible to create the link between the tun0 and the WiFi interface ? I tried unsuccessfully with Netgraph.

Thank you for you help. I hope that all is clear in my post.
Best regards,
Cedric.
 
covacat said:
depends. if the proton end "NATs" everything (not only your vnps end ip) you don't.
Click to expand...
Yes, depends....
I don’t have a completely clear understanding of how everything is configured.

>This tun0 is net layer number 3 (IP), and it's not possible to bridge that tun0 to the WiFi interface.
But reading this I think that NAT is needed here
 
Dear all,

Thank you for all your answers.

The tun0 is created by the Proton client. I can't get rid of it. It receives an IP from Proton.

The WiFi interface: I'm open to all kind of solutions:

- 1/ Receive a IP from Proton.
- 2/ Set an IP, and set up a DHCP server for the WiFi clients.
- 3/ Other solution ..!

Regards, and thank you very much.
 
covacat said:
first test if the vpn requires nat on your end
you can do this by connecting the vpn (and assuming the vpn sets the default route thru tun0)
curl --interface your.eth0.ip https://ipinfo.io/ip
curl --interface your.tun0.ip https://ipinfo.io/ip

if it shows your proton end ip for both curls then you don't need nat on tun0
if the first curl does not work you have to do nat
Click to expand...
Dear covacat,

Thank you for your answer.
curl --interface 192.168.1.44 https://ipinfo.io/ip

The first curl didn't work.

curl --interface 10.2.0.2 https://ipinfo.io/ip

That curl worked fine.

Regards,
Cédric
 
you need to run nat on tun0. you need either pf or ipfw to do it. also you need to enable ip forwarding in rc.conf
then probably the simplest method to achieve your goal is to run dhcp server on the wlan interface and send clients your wlan ip as a default route
drawback => you have to unbridge wlan0 and eth0. eth0 and wlan0 clients won't be able to talk to each other (without some more configuration/hacking)

or
keep eth0 and wlan0 bridged the router-modem will supply dhcp to wlan and lan
you need to forward any incoming packet via wlan0 which has a destination outside of your lan to the vpn endpoint
 
covacat said:
you need to run nat on tun0. you need either pf or ipfw to do it. also you need to enable ip forwarding in rc.conf
then probably the simplest method to achieve your goal is to run dhcp server on the wlan interface and send clients your wlan ip as a default route
drawback => you have to unbridge wlan0 and eth0. eth0 and wlan0 clients won't be able to talk to each other (without some more configuration/hacking)

or
keep eth0 and wlan0 bridged the router-modem will supply dhcp to wlan and lan
you need to forward any incoming packet via wlan0 which has a destination outside of your lan to the vpn endpoint
Click to expand...

Dear covacat,

Thank you for your answer. It's clear now that I have to do a NAT on tun0.

FREEBSD_WIFI_VPN_TUN2.png


My question now is: what kind of link between wlan0 and tun0 ? It doesn't work with a bridge. It doesn't work with netgraph. Do you have an idea ?

Thank you, best regards,
Cédric.
 
cedric_france said:
what kind of link between wlan0 and tun0
Click to expand...
Layer 3, i.e. standard TCP/IP routing. With or without NAT.

cedric_france said:
It doesn't work with a bridge. It doesn't work with netgraph.
Click to expand...
Nope. You already know why:
cedric_france said:
This tun0 is net layer number 3 (IP), and it's not possible to bridge that tun0 to the WiFi interface. Bridges are net layer number 2 (Ethernet).
Click to expand...

Anything you can configure on the modem/router? Lots of ISPs give you a completely locked down device though, can't configure much, if anything at all.
 
SirDice said:
Layer 3, i.e. standard TCP/IP routing. With or without NAT.


Nope. You already know why:


Anything you can configure on the modem/router? Lots of ISPs give you a completely locked down device though, can't configure much, if anything at all.
Click to expand...

Dear SirDice,

Thank you for your answer. Yes, it's possible to configure a lot of items on the router.
The actual configuration as a modem/router suits to me.
I finally found a solution, listening all the advice I received. I'll describe this solution hereunder, in my reply to covacat.

Best regards,
Cédric.
 
you can add a static route on router-modem like 192.168.0.0/24 via ip of eth0
then devices connected to router-modem via ethernet will be able to talk with wifi devices
 
You must log in or register to reply here.
Back
Top