SSH VPN routing/NAT for Road Warrior?

I am trying to configure an SSH VPN (using its -w option) to secure my FreeBSD laptop's Internet connection whilst on the road. So far I have the actual VPN connection, but I am quite confused as to how I should best go about doing the routing required to route all of the laptop's traffic through the VPN.

The current configuration is very simple, FreeBSD laptop connecting to FreeBSD server:

Laptop, re0: 192.168.1.2, gateway: 192.168.1.1, tun0: 10.0.3.2

Laptop, /root/.ssh/config:
Code:
Host FreeBSDServer
  HostName 22.22.22.22
  User root
  IdentityFile ~/.ssh/id_rsa
  Tunnel yes
  TunnelDevice 0:any
  PermitLocalCommand yes
  LocalCommand /bin/echo > /dev/tun0; /sbin/ifconfig tun0 10.0.3.2/30 10.0.3.1
Server, em0: 22.22.22.22, Gateway: 22.22.22.1, tun0: 10.0.3.1

Server, /root/.ssh/authorized_keys:
Code:
tunnel="0",command="/sbin/ifconfig tun0 10.0.3.1/30 10.0.3.2" ssh-rsa <PUBLIC KEY HERE> == me@Laptop

The tunnel is created when SSH'ing to the server and the machines can ping each other via 10.0.3.1 and 10.0.3.2, but I am unsure how to best proceed in order to get all of the laptop's traffic going via the server.

On the laptop I can add a route to the server via the laptop's existing gateway (22.22.22.22 via 192.168.1.1), then change the laptop's default route to the tunnel IP of FreeBSD server (10.0.3.1) - This results in traffic being passed to the VPN, when setting sysctl net.inet.ip.forwarding=1 I can see ICMP requests on the server via tcpdump on both em0 and tun0 - but no ICMP replies.

What are the best way to finish this, I assume I need some form of NAT for example using pf or natd?

If anyone can provide me with some examples I would be extremely grateful! :)
 
I now seem to have a working setup doing NAT via pf.

I have added two route changes to the LocalCommand section of the laptop's /root/.ssh/config.

On the laptop:

Add additional routes, /root/.ssh/config
Code:
Host FreeBSDServer
  HostName 22.22.22.22
  User root
  IdentityFile ~/.ssh/id_rsa
  Tunnel yes
  TunnelDevice 0:any
  PermitLocalCommand yes
  LocalCommand /bin/echo > /dev/tun0; /sbin/ifconfig tun0 10.0.3.2/30 10.0.3.1; /sbin/route add -host 22.22.22.22 192.168.1.1; /sbin/route change default 10.0.3.1
On the Server:

Enable IP forwarding, sysctl net.inet.ip.forwarding=1 and /etc/sysctl.conf
Code:
net.inet.ip.forwarding=1
Configure NAT in /etc/pf.conf
Code:
nat on em0 from 10.0.3.2 to any -> (em0)
If anyone can point out any glaring errors, or has any suggestions please post them!

What other methods could be used if pf was not available?
 
Back
Top