ipfw for gateway to share a openvpn client

S

sac65849

New Member


Messages: 1

I have an older working instance of ipfw with working VPN tunnel as a client of a commercial OpenVPN service and all traffic on this machine seems to be successfully going through the tunnel interface tun0. Is there a resource showing how to configure ipfw to have this machine act as a gateway so that multiple local machines can share the vpn connection. I tcpdump -i tun0 and I see the tun0 interfaces sees gateway routed traffic destined of external IPs but I do not see any responses. I think i need a ipfw nat rule but my

ipfw -q add 00100 nat 1 ip from any to any via tun0 out keep-state

Local traffic using the gateway is routed to the gateway external interface.
 
SirDice

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 13,892
Messages: 40,605

sac65849 said:
Is there a resource showing how to configure ipfw to have this machine act as a gateway
Click to expand...
Routing is not a job for a firewall. A firewall transforms (source and/or destination NAT for example) and filters (allow or block based on certain criteria) packets, it does NOT route packets. Routing is done by the OS. You can enable (IPv4) routing by adding gateway_enable="YES" to rc.conf.
 
D-FENS

D-FENS

Aspiring Daemon

Reaction score: 255
Messages: 803

sac65849 said:
Is there a resource showing how to configure ipfw to have this machine act as a gateway so that multiple local machines can share the vpn connection.
Click to expand...

The FreeBSD docs contain a pretty good guide on routing here: https://docs.freebsd.org/en/books/handbook/advanced-networking/#network-routing
+1 to SirDice, routing is not configured in the firewall.

sac65849 said:
I think i need a ipfw nat rule
Click to expand...
Indeed, you need NAT.
If you set gateway_enable="YES" as described above, the host will forward packets to the VPN network. However, the Source IP field of the packets will contain IP addresses from your local network and the VPN server would not know where to send the response to (it does not know your LAN's IP addresses).
To work around this, when you configure NAT with ipfw, the Source IP will be replaced by your host's VPN client IP address and the VPN server knows that the response should go back to your host. When the response is received, it will again overwrite the relevant IP address in the packet so that the response is ultimately delivered to the machine that sent the initial packet.

Microsoft docs explaining how NAT works: https://docs.microsoft.com/en-us/azure/rtos/netx-duo/netx-duo-nat/chapter1
This is documentation on in-kernel NAT with ipfw: https://docs.freebsd.org/en/books/handbook/firewalls/#in-kernel-nat
 
You must log in or register to reply here.
Top