ssh2 said:I have another questions on configurations.
You have this: [User somewhere in NET] -> [Modem/Router with white dynamic IP] -> [VPN Server in DMZ] -> [LAN].
This is no more true, see Part III of the present Howto:
rolfheinrich said:4. ipfw/NAT for the L2TP/IPsec and PPTP Dial-In Services, all running on the same FreeBSD box
Once I wrote Part I and Part II of this Howto, my FreeBSD home server was sitting in the DMZ behind a SOHO router into the internet, and firewall/NAT was managed by the router. Recently, I connected the cable modem via USB directly to the FreeBSD box, enabled ipfw and NAT, and now it plays the role of the gateway into the internet. ...
From the point of view of the FreeBSD box, the cable modem is just another network interface, therefore, the setup described in Part III can be taken as a bare two-NIC setup, one NIC into the WAN (here the cable modem ue0), and the other NIC into the LAN (here re0). In your scheme this would mean:
[User somewhere in NET] -> [dynamic IP (ue0) - ipfw/NAT - VPN (& other services) (re0)] -> [LAN]
ssh2 said:Can you help me with settings for this:
1) [User (ios/android/windows/osx) somewhere in NET but mostly behind NAT with gray IP (cafe, airports and other untrusted places)] -> [trusted VPN Server with white static IP and NAT for secure surfing]
2) [User (ios/android/windows/osx) somewhere in NET but mostly behind NAT with gray IP (cafe, airports and other untrusted places)] -> [trusted VPN Server with white static IP and NAT] -> [LAN in office]
For the setup, described in Part III it is completely irrelevant that ue0 got a dynamic IP, so it would work exactly the same for said IP being static. So, I assume that the described settings should simply work for both of your usage cases.
However note, that I had no luck with Windows and L2TP/IPsec. For this reason, I have running also a PPTP-VPN server, as is mentioned in Part III and described here: http://forums.freebsd.org/showthread.php?p=137792.