OpenVPN IPFW NAT FreeBSD

OP
OP
J

jasonhirsh

Active Member

Thanks: 1
Messages: 101

#26
OK, spent the night and part of the morning reading documentation on PF and it's not quite as horrible as I first thought (so I must have missed something crucial).

So I think I will shift gears to FreeBSD/OpenVPN/NAT/PF.

I still have one unanswered question I sort of partially asked earlier. If I can get an answer then I think we can close this thread off, maybe not as solved but as hitting a brick wall.

In most of the discussions I see references to external and internal IPs and interfaces when doing the setup. The server I am working on is essentially a standalone machine with no intranet. I would assume that prior to the OpenVPN or NAT, it had for, all intents and purposes, no internal IP or interface or is in fact the lo0 considered the internal interface? ifconfig results as follows:

Code:
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
	ether 00:13:8f:e5:e4:15
	inet 209.160.65.133 netmask 0xfffff800 broadcast 209.160.71.255
	inet 209.160.68.112 netmask 0xffffffff broadcast 209.160.68.112
	media: Ethernet autoselect (10baseT/UTP <full-duplex>)
	status: active
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 00:18:e7:08:27:dd
	inet 10.8.0.1 netmask 0xffffff00 broadcast 10.8.0.255
	media: Ethernet autoselect (none)
	status: no carrier
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=3<RXCSUM,TXCSUM>
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 
	inet6 ::1 prefixlen 128 
	inet 127.0.0.1 netmask 0xff000000 
	nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
	options=80000<LINKSTATE>
	inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
 

kpa

Beastie's Twin

Thanks: 1,771
Messages: 6,271

#27
Please don't assign the same IP address to multiple interfaces like you have done there. It just won't work. Leave the rl0 interface without an IP address if it's going to be unused.

If you have don't have an internal interface it's completely ok. There is no requirement to have an internal interface for OpenVPN to work in a setup that you're trying to create.
 
OP
OP
J

jasonhirsh

Active Member

Thanks: 1
Messages: 101

#28
I have no idea how the 10.8.0.1 address got assigned to the rl0 interface. It is not done by any of the configuration files I have been changing. And is not in the rc.conf.
 

kpa

Beastie's Twin

Thanks: 1,771
Messages: 6,271

#29
Remove this line from the config, it's unnecessary since the server directive takes care setting up routes:

Code:
route 10.8.0.2 255.255.255.0
 
OP
OP
J

jasonhirsh

Active Member

Thanks: 1
Messages: 101

#30
That did clean up the r10 issue as the 10.8.0.1 is no longer assigned there, but I still don't have a tunnel to the internet, Everything dies at the server.
 

kpa

Beastie's Twin

Thanks: 1,771
Messages: 6,271

#31
Things to double check:

IP forwarding is really on, check if this sysctl(8) returns 1:

sysctl -n net.inet.ip.forwarding

From your other thread about PF NAT, check that the rules are loaded and in effect:

pfctl -s nat

pfctl -s rules
 
OP
OP
J

jasonhirsh

Active Member

Thanks: 1
Messages: 101

#32
I did get a "1" returned. I am still running IPFW. Haven't re-tried installing PF yet. I am in process of writing an "open" ruleset so I can at least change over from IPFW to PF then work on the more advanced ruleset. The $25/mistake for a code copy and reboot is getting expensive. As I understand the two commands you provided, the first would show the "parse" (Not actually load) results and the second would check reverse DNS right?
 

kpa

Beastie's Twin

Thanks: 1,771
Messages: 6,271

#33
First will show the NAT and RDR (port forward) rules that are in effect (already loaded), the second will show the filter rules. I changed them to be more understable versions, the shortcut versions may be confusing.
 

kpa

Beastie's Twin

Thanks: 1,771
Messages: 6,271

#34
Set up a test system on your local machine so you don't have to test everything on the live remote system, VirtualBox makes a good testing platform.
 
OP
OP
J

jasonhirsh

Active Member

Thanks: 1
Messages: 101

#35
That is a great idea I was unaware of that product. I will add to my list of things to do. The issue would be the time involved to build a system as I imagine a dump/restore would not would not be advisable due to difference in host. Sorry this is going a little off topic.
 
Top