From owner-freebsd-questions@FreeBSD.ORG Fri Aug 20 22:25:40 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9AEB616A4CE for ; Fri, 20 Aug 2004 22:25:40 +0000 (GMT) Received: from outmx004.isp.belgacom.be (outmx004.isp.belgacom.be [195.238.2.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 07F8743D45 for ; Fri, 20 Aug 2004 22:25:40 +0000 (GMT) (envelope-from geert@lori.mine.nu) Received: from outmx004.isp.belgacom.be (localhost [127.0.0.1]) with ESMTP id i7KMPYb1020231 for ; Sat, 21 Aug 2004 00:25:34 +0200 (envelope-from ) Received: from lori.mine.nu (183-17.244.81.adsl.skynet.be [81.244.17.183]) with ESMTP id i7KMPUDd020188; Sat, 21 Aug 2004 00:25:30 +0200 (envelope-from ) Received: by lori.mine.nu (Postfix, from userid 1000) id 047959D0; Sat, 21 Aug 2004 00:25:29 +0200 (CEST) Date: Sat, 21 Aug 2004 00:25:29 +0200 From: Geert Hendrickx To: freebsd-questions@freebsd.org Message-ID: <20040820222529.GA53077@lori.mine.nu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2i X-GPG-Key: http://lori.mine.nu/gnupgkey.asc X-GPG-Key-ID: 1024D/766C1E92 X-Accept-Language: nl,en cc: jef@hendrickx.be Subject: configuration of ip adresses on vpn router X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Aug 2004 22:25:40 -0000 Hi, I have set up a VPN with OpenVPN (ports/security/openvpn). It works fine on the clients behind either router, but I'm still having a little problem with it. Setup is like this: LAN 192.168.1.x | | 192.168.1.20 VPN-router (FreeBSD) 10.0.0.1 | | 10.0.0.2 VPN-router (OpenBSD) 10.65.28.20 | | 10.65.28.x LAN where the 10.0.0.x are virtual devices (/dev/tun0), they are tunneling the traffic through hardware routers which are connecting both sites to the Internet. Now when I make a connection from, say, 192.168.1.210 to 10.65.28.38, packets are sent across the networks ok. But when I make a connection from 192.168.1.20 (the vpn router itself) to 10.65.28.38, the latter one sees the packets coming from 10.0.0.1, and it does not know how to route them back. I could solve this by adding extra routes (either on each client or on the hardware routers which are the default route for each site), but then there still is a problem if I want to restrict access to some services, based on ip adress. I would have to allow access from the 10.65.28.x network, the 192.168.1.x network (that's ok), but also from the 10.0.0.x network (which is only virtual). This may seem correct, but I'm having problems with the fact that the clients get to see these adresses. They shouldn't. When I make a connection from one of the vpn-routers to any of the clients, I want the source adress to be 192.168.1.20, not 10.0.0.1 (or 10.65.28.20, not 10.0.0.2, respectively). Is that possible? GH