Date: Sat, 9 Nov 2019 16:31:10 -0500 From: Phil Staub <phil@staub.us> To: freebsd-pf@freebsd.org Subject: Re: NAT for use with OpenVPN Message-ID: <CAMnCm8gBqiTaohPvGvWARR3ECW3PK33_Fy3UdQM9-zC1u0mqEg@mail.gmail.com> In-Reply-To: <CAMnCm8hQFC3PmJfRU5x_07zLZjUwKtXMGCSf6B-N4K6kR14Bgg@mail.gmail.com> References: <CAMnCm8jmZJ6r8f_byUUMOmPr%2B3QeH_xB1zCx_SD%2BHvc2YF55Vw@mail.gmail.com> <CAMnCm8hQFC3PmJfRU5x_07zLZjUwKtXMGCSf6B-N4K6kR14Bgg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Looks like I spoke too soon that I had it working. See comments inline,
including a note to Morgan Wesstrom.
On Sat, Nov 9, 2019 at 2:02 PM Phil Staub <phil@staub.us> wrote:
> Further investigation suggests that I needed to add client-config-dir to
> my OpenVPN server.conf file and create a client file with ifconfig-push in
> it to eliminate the 'bad source address" warning. However, I am still
> unable to get the NAT to work. I've been staring at the PF chapter in the
> handbook, and I can't get a good handle on how the example they provide
> works so that I can modify it for my use.
>
> Here is the example I'm trying to parse:
>
> ext_if = "xl0" # macro for external interface - use tun0 for PPPoE
> int_if = "xl1" # macro for internal interface
> localnet = $int_if:network
> # ext_if IP address could be dynamic, hence ($ext_if)
> nat on $ext_if from $localnet to any -> ($ext_if)
> block all
> pass from { lo0, $localnet } to any keep state
>
>
> In my case, I'm using "tun0" as the internal interface and "em0" as the
> external interface. I also specify the (fixed) address of my server on my
> local address.
>
> However, this is clearly not what is needed, because the 'block all' locks
> out everything trying to access the server machine from other machines on
> the local net.
>
> So I removed the 'block all'. I also made a couple of other modifications.
> Here's what I have now:
>
> ext_if = "em0" # macro for external interface - use tun0 for PPPoE
> int_if = "tun0" # macro for internal interface
> localnet = $int_if:network
>
> nat on $ext_if from $localnet to any -> <server's IP>
> pass from $localnet to any keep state
>
> This seems to be working, except that I get some warnings in the OpenVPN
> log about "PID_ERR replay-window backtrack occurred [1] [SSL-0]"
>
> Haven't seen this error for a while, but something I've changed along the
way has broken it again.
I see the reply from Morgan Wesstrom. I'm having trouble responding to it
so far. I guess I don't have my list options set right. Anyway, Morgan, I
appreciate your comments and I'll respond in more detail, but one of the
things I know you asked was about the physical configuration of my setup.,
so I'll describe that here.
Internet -> Arris 6141 modem -> Netgear R6400.2 router/firewall ->
threepio.mynetgear.com (FreeBSD)
I don't use the VPN on the Netgear router, because I don't believe it can
be configured with custom keys and certificates. My old ASUS router had
OpenVPN running on it and could be re-configured. That served me well for
several years, but it died last week. I selected the Netgear partially
because it was advertised to have VPN capability.
threepio is one of several machines on my local network inside the
firewall. I have two laptops (one Ubuntu, the other dual-boot Windows and
Ubuntu) that I use when I'm away from home and use OpenVPN on them. I also
use OpenVPN on my smartphones.
I haven't had time to digest all of your reply yet, but I'll study it some
more and try some more experiments based on your comments.
Thanks again.
Phil
Three questions:
>
> 1. Is this error something I need to be concerned about?
>
> 2. Since the router I have between the server machine and the internet has
> a firewall, do I need to worry about any other rules in the pf ruleset?
> (i.e. is it safe to use my modified version of the handbook example?)
>
> 3. I don't intend to change the server machine's IP address, so I
> eliminated the "($ext_if)" and replaced it with the server's static
> address. Using the ($ext_if) and running pfctl -vnf /etc/pf.conf results in
> reporting "(em0) round robin" instead of the actual IP of the server. This
> seems to work, but is it really necessary?
>
> Thanks,
> Phil
>
>
> On Thu, Nov 7, 2019 at 3:48 PM Phil Staub <phil@staub.us> wrote:
>
>> I'm attempting to set up OpenVPN on a FreeBSD 12.1-RELEASE box. I'd like
>> for it to allow remote clients to access the internet via the server box's
>> connection. It appears that OpenVPN is working, because new connections are
>> logged, but I also get this message in the log:
>>
>> Thu Nov 7 15:43:17 2019 us=289157 han/67.175.144.37:61307 MULTI: bad
>> source address from client [::], packet dropped
>>
>> And the attached client doesn't have internet access.
>>
>> SO, I'm assuming I need to set up PF to NAT between tun0 and em0.
>>
>> I tried looking in the FreeBSD handbook in the chapter on PF, but that's
>> like drinking from a fire hose, and I'm sure there is much more detail
>> there than I need to know.
>>
>> Can someone point me to a concise description of how to achieve this?
>>
>> Thanks,
>> Phil
>>
>>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAMnCm8gBqiTaohPvGvWARR3ECW3PK33_Fy3UdQM9-zC1u0mqEg>