From owner-freebsd-questions@freebsd.org Sat Aug 26 16:13:43 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AB689DD5308 for ; Sat, 26 Aug 2017 16:13:43 +0000 (UTC) (envelope-from amvandemore@gmail.com) Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 457CA70359 for ; Sat, 26 Aug 2017 16:13:43 +0000 (UTC) (envelope-from amvandemore@gmail.com) Received: by mail-wm0-x22b.google.com with SMTP id y71so8908864wmd.0 for ; Sat, 26 Aug 2017 09:13:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=bGTknzOgw0WA/W8uafnfhEMKdf0Vm3hb+C/dOOaY2dE=; b=UcpP0H3VcuhulK0bUTnAAQLw70VdXMumgdrNHv8LJiWlV2fu7SjQ5KhWCwpo7A5uAj 4FNnk9xpPHS5QQdK0LTA4o9EJ21tUKx9Ng6VuTMWJlNc8J42tjql+xmGRqrQTjlixDkZ H9JVrYmvBzsD+eSOlAazRC19Py3+w+Ni5JvQE9e0fT5uAw39E4eTOLzq1g6Jxmpia8lx kdGe6F15N0TFVxOo5yfYypNhBwdY8rpF8+9bH97dEM6fIjzYq5Pq5HpZPrluoCYK0vV9 2IduHKvbpVux1smzuM8Sixjd4ZmOHsEZCLCz/rozobZ5aIuFbzVI1OxFl5Htg8cw5FqY wKaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=bGTknzOgw0WA/W8uafnfhEMKdf0Vm3hb+C/dOOaY2dE=; b=OfpHChWVIamOPNlam0nPnmmEN+lzds6qq2zlLUNbtZVbXrjZHIxrDYQVMPcl8LRSC3 VOvoE2ITtmdx1ItlXDip9TwGbQtWSMrIOKnn7ad+ZtTuDQP1Ng8XeGy0la7mapLfVhyV oytFP5ohiNIMz0a+LlDsjrU6+xCe1vFmRYoVbIQrE57Vr9UtZMi2M8boexcap7P4yNyG FUPc6VdddGlwwSKh60zs4CS+fSszm0P7IlPYeS9iwSBYQHMjw+L9HbhbsTE4yMBUDHOi x3zwMe6GoOG6zfBFZIkI5X+ZvLlekpGSaJaKDeiQgAjdcHY+wOCemf3xGE3XJyj1Fcpl y4mA== X-Gm-Message-State: AHYfb5icll1k85T9F0GNlJfx6PQ2Xdh10Vl/tBX/p2zyGFMcJnULXCzM mpw7QxaKZRalFrUHt+o1BnLY2C6vjA== X-Received: by 10.80.144.90 with SMTP id z26mr1918100edz.290.1503764021317; Sat, 26 Aug 2017 09:13:41 -0700 (PDT) MIME-Version: 1.0 Received: by 10.80.192.138 with HTTP; Sat, 26 Aug 2017 09:13:40 -0700 (PDT) In-Reply-To: References: From: Adam Vande More Date: Sat, 26 Aug 2017 11:13:40 -0500 Message-ID: Subject: Re: STUMPED: Setting up OpenVPN server on FreeBSD (self.freebsd) To: Fongaboo Cc: FreeBSD Questions Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Aug 2017 16:13:43 -0000 On Sat, Aug 26, 2017 at 8:03 AM, Fongaboo wrote: > > I'm following this tutorial: > > https://www.digitalocean.com/community/tutorials/how-to-conf > igure-and-connect-to-a-private-openvpn-server-on-freebsd-10-1 > > Trying this on an AWS instance first and then planning to try on a bare > metal colo server. > > OpenVPN client and daemon seem to be working, in terms of handshaking and > connecting with each other. Problem is, no matter what I do, connected > clients can't get out to the Internet through the server's gateway > interface. > > I've tried setting up NATD, like the tutorial instructs. I've tried > enabling ipfw_nat as described in this comment: > > https://www.digitalocean.com/community/tutorials/how-to-conf > igure-and-connect-to-a-private-openvpn-server-on-freebsd-10- > 1?comment=40498 > > rc.conf (for NATD): > > #enable firewall > firewall_enable="YES" > firewall_script="/usr/local/etc/ipfw.rules" > firewall_type="open" > > gateway_enable="YES" > natd_enable="YES" > natd_interface="xn0" > natd_flags="-dynamic -m" > > rc.conf (revised for ipfw_nat): > > #enable firewall > firewall_enable="YES" > firewall_script="/usr/local/etc/ipfw.rules" > firewall_type="open" > firewall_nat_enable="YES" > firewall_nat_interface="xn0" > > gateway_enable="YES" > #natd_enable="YES" > #natd_interface="xn0" > #natd_flags="-dynamic -m" > > *xn0 = external interface of the server > > Neither config allows Internet access. I have this line enabled in > /usr/local/etc/openvpn/openvpn.conf: > > push "redirect-gateway def1 bypass-dhcp" > > Perhaps this is part of the solution?: > > # Configure server mode for ethernet bridging > # using a DHCP-proxy, where clients talk > # to the OpenVPN server-side DHCP server > # to receive their IP address allocation > # and DNS server addresses. You must first use > # your OS's bridging capability to bridge the TAP > # interface with the ethernet NIC interface. > # Note: this mode only works on clients (such as > # Windows), where the client-side TAP adapter is > # bound to a DHCP client. > ;server-bridge > > Any advice would be appreciated. I'm willing to try any combination of > ipfw vs. pf or natd vs. ipfw_nat or whatever if it will allow clients to > see the WAN. TIA! > tcpdump and ipfw logs. -- Adam