Solved [Solved] Gateway redirection with OpenVPN on FreeBSD 9

manas

manas

Hello,

I have been trying to get gateway redirection to work with OpenVPN. I have one server and one client in the OpenVPN network. I have tried this setup with two separate servers (one running 9.1 and the other running 9.2) and with both, traffic redirection is not successful. I am able to ping the server from the client and vice versa but when I try to ping to a public IP address (e.g. 8.8.8.8), no responses are received.

I have set multiple options in the file /etc/rc.conf:
Code: 
gateway_enable="YES"
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/server.conf"
openvpn_if="tun"
I have checked sysctl net.inet.ip.forwarding which returns 1.

In the file /usr/local/etc/openvpn/server.conf I have:
Code: 
server 10.0.8.0 255.255.255.0
push "redirect-gateway"
push "dhcp-option DNS 8.8.8.8"
These are the relevant lines.

There is no firewall enabled on the servers or client.

In tcpdump, these are the relevant lines seen;
tcpdump -i re0:
Code: 
12:10:04.016046 IP 10.0.8.4 > google-public-dns-a.google.com: ICMP echo request, id 3516, seq 1, length 64
tcpdump -i tun0
Code: 
12:10:04.016017 IP 10.0.8.4 > google-public-dns-a.google.com: ICMP echo request, id 3516, seq 1, length 64

It seems to me that the system is not substituting the public IP of the server before sending the packet generated on tun0 outwards through re0. Please let me know if there are additional options that I need to enable, or if you would like to request more information about the setup.

Thank you.
 
Re: Gateway redirection with OpenVPN on FreeBSD 9

You must use NAT of some sort, pf(4) is probably the easiest to set up. This is the minimum you need in the rules:

Code: 
nat on $ext_if inet from $vpnnet to any -> $ext_if

Where ext_if is re0 and vpnnet is 10.0.8.0/24.
 
Re: Gateway redirection with OpenVPN on FreeBSD 9

kpa said:
You must use NAT of some sort, pf(4) is probably the easiest to set up. This is the minimum you need in the rules:

Code: 
nat on $ext_if inet from $vpnnet to any -> $ext_if

Where ext_if is re0 and vpnnet is 10.0.8.0/24.
Click to expand...

Thank you, @kpa. That turns out to be the missing link. I had discussed the matter on IRC and had gotten the idea that the NAT was not necessary. However, putting the NAT rule in place makes things work.
 
Last edited by a moderator:
NAT is not necessary if the goal of the VPN is to access just the VPN server it connects to and the immediate local networks. If the goal if to redirect all traffic over the VPN and use the VPN tunnel for accessing the internet the private range RFC1918 addresses handed out to the VPN clients must be hidden somehow and that's why NAT is needed.
 
You must log in or register to reply here.
Back
Top