ipfw for gateway to share a openvpn client

[sac65849]

I have an older working instance of ipfw with working VPN tunnel as a client of a commercial OpenVPN service and all traffic on this machine seems to be successfully going through the tunnel interface tun0. Is there a resource showing how to configure ipfw to have this machine act as a gateway so that multiple local machines can share the vpn connection. I tcpdump -i tun0 and I see the tun0 interfaces sees gateway routed traffic destined of external IPs but I do not see any responses. I think i need a ipfw nat rule but my

ipfw -q add 00100 nat 1 ip from any to any via tun0 out keep-state

Local traffic using the gateway is routed to the gateway external interface.

 

[SirDice]

Is there a resource showing how to configure ipfw to have this machine act as a gateway

Routing is not a job for a firewall. A firewall transforms (source and/or destination NAT for example) and filters (allow or block based on certain criteria) packets, it does NOT route packets. Routing is done by the OS. You can enable (IPv4) routing by adding gateway_enable="YES" to rc.conf.

 

[D-FENS]

Is there a resource showing how to configure ipfw to have this machine act as a gateway so that multiple local machines can share the vpn connection.

The FreeBSD docs contain a pretty good guide on routing here: https://docs.freebsd.org/en/books/handbook/advanced-networking/#network-routing
+1 to SirDice, routing is not configured in the firewall.

I think i need a ipfw nat rule

Indeed, you need NAT.
If you set gateway_enable="YES" as described above, the host will forward packets to the VPN network. However, the Source IP field of the packets will contain IP addresses from your local network and the VPN server would not know where to send the response to (it does not know your LAN's IP addresses).
To work around this, when you configure NAT with ipfw, the Source IP will be replaced by your host's VPN client IP address and the VPN server knows that the response should go back to your host. When the response is received, it will again overwrite the relevant IP address in the packet so that the response is ultimately delivered to the machine that sent the initial packet.

Microsoft docs explaining how NAT works: https://docs.microsoft.com/en-us/azure/rtos/netx-duo/netx-duo-nat/chapter1
This is documentation on in-kernel NAT with ipfw: https://docs.freebsd.org/en/books/handbook/firewalls/#in-kernel-nat