Basic routing over a VPN

[PlanetFox]

Trying to get my FreeBSD server to act as a gateway to an OpenVPN connection... I have the OpenVPN connection working, it's up on tun0, and I have gateway_enable="YES" in /etc/rc.conf. What I want is the FreeBSD machine to accept traffic from the local 10.0.0.0/24 network connected to re0 and pass it to and from the internet over tun0 with NAT.
Have pf up and running with

ext_if = "tun0"
int_if = "re0"
localnet = $int_if:network
nat on $ext_if from $localnet to any -> ($ext_if)
block all
pass from { lo0, $localnet } to any keep state

I did this before, and I recall this being all I needed to do, can't remember if there was anything else I had to do to make it work

 

[PlanetFox]

Hmm, messing around with it some more it looks like the FreeBSD machine is forwarding incoming packets to its default route, whether PF is running or not. And it stops doing that as soon as I start up OpenVPN.

 

[PlanetFox]

Never did get it to work with pf, but did with ipfw

Used this rule set

ipfw="/sbin/ipfw -q"
wan="tun0"
lan="re0"
${ipfw} set disable 1
${ipfw} nat 1 config log if ${wan} deny_in same_ports unreg_only reset
${ipfw} add 0010 set 1 nat 1 ip from any to any via ${wan}
${ipfw} add 0020 set 1 reass all from any to any in
${ipfw} add 0030 set 1 check-state
${ipfw} add 0040 set 1 allow ip from any to any
${ipfw} set swap 0 1
${ipfw} delete set 1

It takes longer for the tunnel to startup than it does ipfw, though, so I had to add a startup script to stop ipfw, start openvpn, wait ten seconds, then restart ipfw

 

[AlfredoLlaquet]

I guess the forum is short on experts about this topic who can answer since you first posted. Have you tried asking one of those infamous LLMs?

 

[PlanetFox]

At the moment I'm gonna consider it solved, if it works it works.

 

[SirDice]

it looks like the FreeBSD machine is forwarding incoming packets to its default route, whether PF is running or not.

Common misconception, PF is a packet filter (and manipulator), not a routing engine. Packet filters do NOT route.

 

[hedwards]

Common misconception, PF is a packet filter (and manipulator), not a routing engine. Packet filters do NOT route.

Which can be confusing as there are redirect and nat options, just not routing ones. Which if I'm understanding things correctly, PF can stamp the right bits on the packet to be routed to the right place, just not establish the routing that the packet should take in getting to the machine. Which probably explains a bunch of the issues I've personally been having with my jails, bhyve vms and podman containers if I try to connect them any way other than via an alias to my incoming ethernet port.