From owner-freebsd-net@FreeBSD.ORG Fri Dec 19 13:00:59 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 000711065670 for ; Fri, 19 Dec 2008 13:00:58 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id A52868FC2D for ; Fri, 19 Dec 2008 13:00:58 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from astro.zen.inc (astro.zen.inc [192.168.1.239]) by smtp.zeninc.net (smtpd) with ESMTP id 135462798B8; Fri, 19 Dec 2008 14:00:57 +0100 (CET) Received: by astro.zen.inc (Postfix, from userid 1000) id 7525417057; Fri, 19 Dec 2008 14:03:44 +0100 (CET) Date: Fri, 19 Dec 2008 14:03:44 +0100 From: VANHULLEBUS Yvan To: Noah Silverman Message-ID: <20081219130344.GA38912@zeninc.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: All mail clients suck. This one just sucks less. Cc: freebsd-net@freebsd.org Subject: Re: Surf outside Internet through VPN X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Dec 2008 13:00:59 -0000 On Fri, Dec 19, 2008 at 03:23:57AM -0800, Noah Silverman wrote: > Hello, Hi. > I want to find a way to pass ALL traffic from my laptop THROUGH my > office VPN and then out to the Internet. This is a "road warrior" > setup. This gives me a few benefits: 1) I can check my email securely > through VPN. 2) No matter where I am, I will always have the external > IP of my VPN server when accessing the web. > > I have setup a VPN. Was able to get it working with either tun or tap > interfaces. That part seems OK. Ok, I'll guess you're using an IPsec VPN. > Now what?? (I can see and connect to the VPN server with '10.0.8.1' > easily. I can't see or connect to the outside world.) Do I need to > add some kind of special route in the routing table? > > Would this be better as a tun or using a bridge through tap? If you're using a tun interface and can access your remote gate through the tunnel, you may just have to add a default route to this remote gate (warning: ensure you still have some static routes to access the public IP of the gate, so your tunnel won't match the default route, which is reachable through the tunnel....). You can also just use "simple" IPsec without gif, and you'll have SPD entries like: spdadd myip 0.0.0.0/0 any -P out ipsec esp/tunnel/mypublicIP-GatepublicIP/unique; for outgoing traffic (and the reverse SPD entry for incoming traffic). Please note that, for IPsec (and for IKE negociations), 0.0.0.0/0 does NOT means "any IP", it does REALLY means "the network with base address 0.0.0.0 and 0 bits of netmask". Yvan.