Routing all traffic through a VPN tunnel


I've recently set up an OpenVPN tunnel and would like to route the entire traffic of a client (Windows) through a server (FreeBSD). My goal is that all internet applications on the client (e.g. browser, chat, games) connect to the internet using the IP address of the server rather than the client's IP.

The static OpenVPN tunnel I've configured seems to work nicely, the server side uses "ifconfig" and the client side "ifconfig". On the server, a "ping" reaches the client (and a "ping" works fine on the client). Furthermore, I use "redirect-gateway def1" on the Windows client in order to route all outgoing IP traffic through the VPN (according to "ipconfig", the default gateway is activated successfully on the Windows client).

Because of missing FreeBSD know-how, I was not able to configure the server side so far. There are some forums and wikis which describe the necessary steps on the server side for Linux, but I couldn't find anything for FreeBSD. Under Linux, something like this seems to be sufficient:

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o eth0 -s -j MASQUERADE

How do I achieve a similar effect under FreeBSD (using ipfw and/or natd)? Any help is appreciated.

# echo gateway_enable=\"YES\" >> /etc/rc.conf
# echo firewall_enable=\"YES\" >> /etc/rc.conf
# echo firewall_script=\"/path/to/file/with/rules\" >> /etc/rc.conf
# sysctl net.inet.ip.forwarding=1
# kldload ipfw.ko
# kldload ipfw_nat.ko

Firewall script:
ipfw nat 1 config if tun0

# ...usual ipfw rules
ipfw add nat 1 all from to any xmit tun0
ipfw add nat 1 all from any to me recv tun0
# ...rules continued

Reading ipfw(8) and handbook will be also helpful.

P.S.: After kldload ipfw.ko by default all packets will be dropped, so you can lock out machine if you working through ssh
gelraen: is firewall necessary for this scenario? I also setup the VPN for the same purpose, but I don't have firewall installed. Thanks!
hurricane_sh, you better re-check if all of your traffic is passing through the tunnel, I seriously doubt that :). Unless you are using live IPs in your tunnel configuration.
I know - this is an old thread but I tried the same and it doesn´t work.

I want to use my FreeBSD server as gateway for the whole network to a VPN tunnel. The VPN tunnel is up and works fine on the FreeBSD server. All traffic from the FreeBSD server to the Internet goes through the VPN tunnel. Now I want to route all my clients traffic through the VPN tunnel on the FreeBSD server.

LAN Network:
Clients: -
FreeBSD Server:

freebsd# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 00:30:18:4a:ec:d7
        inet6 fe80::230:18ff:fe4a:ecd7%em0 prefixlen 64 scopeid 0x1
        inet netmask 0xffffff00 broadcast
        inet6 2002:5eda:c88c:0:230:18ff:fe4a:ecd7 prefixlen 64 autoconf
        nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        inet netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
        nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
tun0: flags=8043<UP,BROADCAST,RUNNING,MULTICAST> metric 0 mtu 1500
        inet6 fe80::230:18ff:fe4a:ecd7%tun0 prefixlen 64 scopeid 0x7
        inet netmask 0xfffff800 broadcast
        nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
        Opened by PID 43870
freebsd# netstat -nr
Routing tables

Destination        Gateway            Flags    Refs      Use  Netif Expire            UGS         1     1924   tun0 =>
default        UGS         0    40310    em0         link#7             U           0        0   tun0           link#7             UHS         0        0    lo0      UGS         1     2605    em0          link#5             UH          0    14201    lo0            UGS         0      283   tun0   link#1             U           3    37002    em0     link#1             UHS         0        0    lo0

As I said, all traffic from the FreeBSD server to the Internet goes direct through the VPN server as it should. But I can´t go online on a Windows client with the FreeBSD server as gateway.

Nat is running on tun0:
freebsd# ps -auxw | grep nat
root    1138  0.0  0.1  3440  1332  ??  Is    7:42PM   0:00.00 /sbin/natd -dynamic -m -n tun0

IPFW rules:
freebsd# ipfw show
00100  28600  2585008 allow ip from any to any via lo0
00200      0        0 deny ip from any to
00300      0        0 deny ip from to any
00400      0        0 deny ip from any to ::1
00500      0        0 deny ip from ::1 to any
00600      5      344 allow ipv6-icmp from :: to ff02::/16
00700      0        0 allow ipv6-icmp from fe80::/10 to fe80::/10
00800    274    35160 allow ipv6-icmp from fe80::/10 to ff02::/16
00900      0        0 allow ipv6-icmp from any to any ip6 icmp6types 1
01000      0        0 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
65000 174545 18717022 allow ip from any to any
65100      0        0 nat 1 ip from to any xmit tun0
65200      0        0 nat 1 ip from any to me recv tun0
65535      0        0 deny ip from any to any

I created the rule 65100 and 65200.
ipfw add nat 1 all from to any xmit tun0
ipfw add nat 1 all from any to me recv tun0
But rule 65000 catches it before and this is the main problem? I can´t find the error after some hours of research now.

So thanks for any help!