Date: Sun, 10 Nov 2019 18:51:22 -0500 From: Phil Staub <phil@staub.us> To: =?UTF-8?Q?Morgan_Wesstr=C3=B6m?= <freebsd-database@pp.dyndns.biz> Cc: freebsd-pf@freebsd.org Subject: Re: Fwd: NAT for use with OpenVPN Message-ID: <CAP9XWJm2gAC0VjTejP08X0T8ar_ZS1e7PqjAy8iOMRhfBU_3mA@mail.gmail.com> In-Reply-To: <ba536474-57b4-37b0-d076-a1c4561d181e@pp.dyndns.biz> References: <mailman.6.1573387200.62111.freebsd-pf@freebsd.org> <CAMnCm8gO%2BdZwEKdM3iKwrNoxNDZmFZ8EUo=Mrh0%2BOQ%2BSE_SO8w@mail.gmail.com> <1cebcd5e-d9ed-53db-2d01-c8794933d1c4@pp.dyndns.biz> <80ec074d-7a5d-7016-57e4-f607384d0e20@pp.dyndns.biz> <CAMnCm8iz7DcgTM_tPR5ZGZQwPXXcahVbyqw0Wzufkr93xVszpg@mail.gmail.com> <CAMnCm8jZH8ZULq8CKeZF_t4eBEBH5QAsaPKBtxK0WCWGe_OXDA@mail.gmail.com> <ba536474-57b4-37b0-d076-a1c4561d181e@pp.dyndns.biz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Nov 10, 2019 at 5:27 PM Morgan Wesstr=C3=B6m < freebsd-database@pp.dyndns.biz> wrote: > > Do packets with 10.8.0.x addresses ever actually make it on the wire > > between the router and the OpenVPN server? I was under the impression > that > > the encrypted packets created a tunnel at which the IP address is only > > known at the endpoints, which means the OpenVPN client and server > > processes, and nothing in between has any access to anything that is > going > > on within the tunnel. If this is the case, I wouldn't think the router > > needs to know how to deal with 10.8.0.x packets. > > > > Furthermore, this pretty much HAS to be the case. The 10.8.0.x addresse= s > > can't be routed across the internet, so the only way they could exist o= n > my > > private network would be as a result of NATing on the part of the route= r, > > and I'm pretty sure this isn't happening. > > > > But then this re-opens the question of how the connection happens betwe= en > > the server end of the tunnel (10.8.0.1) and the public interface at > > 192.168.1.200. It would seem that there needs to be some routing > > information within OpenVPN that makes that connection. > > > > Am I way off here? > > > > Phil > > Look at it this way. The VPN software has the same effect as if the > client was located in your house and directly connected with a cable to > your 10.8.0.0/24 subnet. Any configuration to support this must be done > on the FreeBSD machine as well as your router. The router will > definitely see the 10.8.0.0/24 addresses on its LAN interface but as you > note, these addresses will never show up on the external interface. Your > NAT will exchange these addresses on the fly and any traffic between the > OpenVPN endpoints will be encrypted and encapsulated in another ip > packet where only the external public ip addresses are shown. > > At this point I started to write a detailed description of how a packet > is transferred from your client over the VPN tunnel and then onto the > Internet and to its destination but it got overly complicated and > probably won't help you at this point. :) Let's instead start to get > some more info from your network. When your client is connected, can you > please provide the output of the following commands on both the client > and the FreeBSD machine? > > # ifconfig -a > > # netstat -rn > > I need to see how the ip stack is configured on each machine and how the > routing tables look. > > OK. Here it comes: root@threepio:/usr/local/etc/openvpn # netstat -rn Routing tables Internet: Destination Gateway Flags Netif Expire default 192.168.1.1 UGS em0 10.8.0.0/24 10.8.0.2 UGS tun0 10.8.0.1 link#4 UHS lo0 10.8.0.2 link#4 UH tun0 127.0.0.1 lo0 UHS lo0 192.168.1.0/24 link#1 U em0 192.168.1.200 link#1 UHS lo0 192.168.1.201 link#1 UHS lo0 Internet6: Destination Gateway Flags Netif Expire ::/96 ::1 UGRS lo0 ::1 lo0 UHS lo0 ::ffff:0.0.0.0/96 ::1 UGRS lo0 fe80::/10 ::1 UGRS lo0 fe80::%lo0/64 link#2 U lo0 fe80::1%lo0 link#2 UHS lo0 fe80::%tun0/64 link#4 U tun0 fe80::6a05:caff:fe3b:a7c7%tun0 link#4 UHS lo0 ff02::/16 ::1 UGRS lo0 root@threepio:/usr/local/etc/openvpn # ifconfig -a em0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=3D81249b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LRO,WOL_= MAGIC,VLAN_HWFILTER> ether 68:05:ca:3b:a7:c7 inet 192.168.1.200 netmask 0xffffff00 broadcast 192.168.1.255 inet 192.168.1.201 netmask 0xffffff00 broadcast 192.168.1.255 media: Ethernet autoselect (1000baseT <full-duplex>) status: active nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=3D680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 groups: lo nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL> lo1: flags=3D8008<LOOPBACK,MULTICAST> metric 0 mtu 16384 options=3D680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> groups: lo nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> tun0: flags=3D8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500 options=3D80000<LINKSTATE> inet6 fe80::6a05:caff:fe3b:a7c7%tun0 prefixlen 64 scopeid 0x4 inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff groups: tun nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL> Opened by PID 15992 _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > --=20 Phil Staub phil@staub.us
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAP9XWJm2gAC0VjTejP08X0T8ar_ZS1e7PqjAy8iOMRhfBU_3mA>