no NAT/routing through iocage OpenVPN gateway jail/host

Hi folks,

I'm somewhat of a *BSD novice, having rather used various builds for appliance devices, such as pfSense, opnSense, FreeNAS, etc.

I've recently set up a new FreeNAS box from scratch, and built/building a jail for the express purpose of maintaining OpenVPN client connections, and then tweaking my DHCP so that particular hosts on my network uses it as their gateway. (tried it on my firewall, but results were not ideal)

Typology looks something like:
[$LANHOST] -> [$GATEWAY] -> [tun0] -> interwebs

I'm a little down the road cobbling things together, so I'm a little vague on ALL the particulars (eg. I had to enable TUN from server CLI to enable OpenVPN to run in an iocage jail; can't recall particulars now), but much of the setup looks somewhat like this guide.

The long & the short of it is that my VPN daemon on my gateway box (aka "$GATEWAY") seems to works well & when I curl I get all the right signals - IP not provided by my ISP, good iperf, etc.

When I do the same from a client host (aka "$LANHOST"), it only works when the VPN daemon is down, but nothing gets through when the daemon is up.

for both tcpdump -i epair0b host & tcpdump -i tun0 host on $GATEWAY I get :
IP > ICMP echo request, id 39208, seq 225, length 64

portion of my cat /etc/rc.conf :

#enagble gateway relay


Assume /etc/ipfw.conf is FUBAR, since changes I've tried have not had any desired effect, but I expect it's some sort of NAT in this file that would be the answer.
Unfortunately this is not my bag, so I'm completely out of my league here.

I'm trying to keep the problem-statement lean here, so I'm not including configs that are probably wrong or replaceable.

What should my ipfw.conf file look like to?
  • serve as a gateway definable in DHCP
  • route/NAT such traffic straight out over the secured tun0 pipe
  • not permit any potential inbound connections coming from said pipe
Anything else I'm missing?
Hoping info here could serve as a guide to others looking for a similar 'simple' setup.


Edit: found additional info in this pretty solid guide , but much of it's over my head (didn't know devfs was even something, let alone something I had to config), so will take a time to parse properly