OpenVPN server not forwarding traffic

HI,

I am new to OpenVPN. The VPN is configured and the VPNclient can connect.

I have the following topology

VMware workstation 17 Guest
Host Wins10
localLAN Bridged mode VPN subnet

ipradio .50 <------192.168.100.0/24 -------> .250 VPNserver .1 <------ 10.200.200.0/24 -------> .2 VPNclient

- the localLAN subnet has been pushed from the VPNserver to the VPNclient.
- local routing and access policy allows the VPNsubnet via 192.168.100.250.

- The VPNclient can ping both of the VPNserver interfaces.
- The VPN client CAN NOT ping the ipradio.
- The VPN server can ping the ipradio.

I think VPNserver is either not forwarding the traffic, or is doing NAT or something that modifies the packet.

Does anybody know what could be wrong?
 
I have

root# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding: 0

does this need to be 1?

What is the command to change ip forwarding to 1 in freebsd?
 
Yes, you should enable forwarding
Code:
# sysctl net.inet.ip.forwarding=1
It's temporary. To permanent add to rc.conf
Code:
gateway_enable="YES"
 
Do you enable forwarding?
Code:
net.inet.ip.forwarding=1

I don't think so none of the guides bother to mention it. The documentation is a can worms, there's contradictions everywhere, examples provided dont work because of missing commands, or commands that do not exist.

I used the so called official openVPN guide, none of the commands work, and it doesn't even mention ip forwarding. I feel the documentation is deliberately poorly written to drive people towards the paid platform.

Its annoying, its not the technology, its the documentation that has you driving through treacle


So I just need this command

net.inet.ip.forwarding=1 ?


Reading around I saw something that said the best way to do it is with the

gateway_enable = YES in rc.conf


just need some confirmation before I implement it and it makes freebsd explode and have to rebuild it
 
That is the standard way of enabling forwarding.

Do I need to have openVPN in rc.conf also?

I haven't added to the startup rc.conf yet.

Will I be ok to just add gateway_enable=YES? it wont make freebsd explode? lol ;-)

Its just that I have found myself in unbreakable booting loop cycles a few times now with the only solution being to rebuild it.
 
Use sysrc to modify /etc/rc.conf this way you won't make syntax error inside the /etc/rc.conf which can cause your FreeBSD fail to boot.

example:
sysrc gateway_enable="YES"
sysctl net.inet.ip.forwarding=1

The first command sysrc will change the gateway_enable variable to YES inside your /etc/rc.conf so the next time you restart the computer it will set the net.inet.ip.forwarding to 1 for you.

The second command will set net.inet.ip.forwarding to 1 without need to reboot the computer but it will not retain this settings if you don't have gateway_enable="YES" inside /etc/rc.conf because by default the forwarding is disabled (0)
 
Yes, you should enable forwarding
Code:
# sysctl net.inet.ip.forwarding=1
It's temporary. To permanent add to rc.conf
Code:
gateway_enable="YES"
Thanks

I still can not ping the host but I am bit further down the road

tcpdump was only showing the ICMP traffic from the VPNclient on the tunnel interface and not on the lan interface. I can now see the ICMP packets from the VPNclient in the both

tcpdump -ni tun0 icmp
tcpdump icmp

Just need to confirm with wireshark and see where the traffics being dropped locally
 
Use sysrc to modify /etc/rc.conf this way you won't make syntax error inside the /etc/rc.conf which can cause your FreeBSD fail to boot.

example:
sysrc gateway_enable="YES"
sysctl net.inet.ip.forwarding=1

The first command sysrc will change the gateway_enable variable to YES inside your /etc/rc.conf so the next time you restart the computer it will set the net.inet.ip.forwarding to 1 for you.

The second command will set net.inet.ip.forwarding to 1 without need to reboot the computer but it will not retain this settings if you don't have gateway_enable="YES" inside /etc/rc.conf because by default the forwarding is disabled (0)
Thanks

I already modified rc.conf but I will use that command next time to save time.
 
its working ;-)

It dropped the first few pings (im using ping lite on iphone, its a bit slower), so I jumped to a conclusion.

I can ping the radio


Thanks for the help guys, if you need any network help let me know
 
Also,

Ive documented the configuration.

Where can I post it save some other poor sole from all the pointless pain, dead ends and potholes
 
I don't think so none of the guides bother to mention it.
Well, this is networking old-school - the basic difference between a machine-on-the-network (one coax cable) and a router (more than one coax cable, and probably a thicker one also).
And from a logical viewpoint, the tunnel is another "cable" on the same machine.

I used the so called official openVPN guide, none of the commands work, and it doesn't even mention ip forwarding. I feel the documentation is deliberately poorly written to drive people towards the paid platform.
Occasionally I get that impression, too. (I never read any "official guide", only occasionally fighting with the manpage) The piece doesn't make the impression that there were a stringent way of configuring it to a given engineering task, it's rather like "use the defaults/macros and supposedly it should do the right thing" (and nobody knows why). But the underlying code is apparently good.

So I just need this command

net.inet.ip.forwarding=1 ?
You'll get used to that one. ;)
(There is a separate switch for IPv6 if that might get relevant. But openVPN with IPv6 is again a fun on it's own.)
 
Back
Top