Hi,
I have a running OpenVPN network with several clients and a server (all machines run FreeBSD 11 64-Bit). The machines can successfully talk to each other over the VPN. Where I'm hitting a wall is when it comes to gateway redirection: What I want is that the entire internet traffic of all OpenVPN clients is routed through that OpenVPN server. For this, I added/enabled the following lines in my OpenVPN server config:
I have added this line to my OpenVPN client config:
After restarting all OpenVPN instances, I am able to ping a public IP address from a client through the server:
Looking at the client's /etc/resolv.conf I can see that the wrong nameservers are set:
The client doesn't have any firewall enabled and the server runs pf with the following configuration:
I'm out of guesses - any ideas?
Any help would be much appreciated.
I have a running OpenVPN network with several clients and a server (all machines run FreeBSD 11 64-Bit). The machines can successfully talk to each other over the VPN. Where I'm hitting a wall is when it comes to gateway redirection: What I want is that the entire internet traffic of all OpenVPN clients is routed through that OpenVPN server. For this, I added/enabled the following lines in my OpenVPN server config:
Code:
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.4.4"
push "dhcp-option DNS 8.8.8.8"
I have added this line to my OpenVPN client config:
Code:
redirect-gateway def1
After restarting all OpenVPN instances, I am able to ping a public IP address from a client through the server:
Code:
root@client:~ % ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=60 time=29.962 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=60 time=29.189 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=60 time=29.796 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=60 time=28.933 ms
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 28.933/29.470/29.962/0.423 ms
traceroute
confirms that the traffic is indeed being routed through the OpenVPN server (10.8.0.1):
Code:
root@client:~ # traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 40 byte packets
1 10.8.0.1 (10.8.0.1) 22.585 ms 22.661 ms 22.555 ms
2 80.74.128.21 (80.74.128.21) 23.333 ms 24.108 ms 22.632 ms
3 195.143.102.237 (195.143.102.237) 23.173 ms 22.980 ms 22.795 ms
4 212.23.43.238 (212.23.43.238) 27.905 ms 34.365 ms 34.623 ms
5 74.125.50.93 (74.125.50.93) 33.874 ms 28.433 ms 28.529 ms
6 108.170.251.193 (108.170.251.193) 29.994 ms * *
7 216.239.59.113 (216.239.59.113) 28.318 ms
72.14.232.61 (72.14.232.61) 28.218 ms
216.239.56.159 (216.239.56.159) 29.904 ms
8 8.8.8.8 (8.8.8.8) 28.477 ms 28.501 ms 28.576 ms
Looking at the client's /etc/resolv.conf I can see that the wrong nameservers are set:
Code:
root@client:~ # cat /etc/resolv.conf
# Generated by resolvconf
nameserver 84.22.106.7
nameserver 84.22.106.8
The client doesn't have any firewall enabled and the server runs pf with the following configuration:
Code:
vpnclients = "10.8.0.0/24"
wanint = "igb0"
vpnint = "tun0"
# OpenVPN by default runs on udp port 1194
udpopen = "{1194}"
icmptypes = "{echoreq, unreach}"
set skip on lo
# the essential line
nat on $wanint inet from $vpnclients to any -> $wanint
block in
pass in on $wanint proto udp from any to $wanint port $udpopen
# the following two lines could be made stricter if you don't trust the clients
pass out quick
pass in on $vpnint from any to any
pass in inet proto icmp all icmp-type $icmptypes
# SSH
pass in quick on $wanint proto tcp from any to any port ssh flags S/SA keep state
I'm out of guesses - any ideas?
Any help would be much appreciated.