Date: Mon, 11 Nov 2019 20:49:25 -0500 From: Phil Staub <phil@staub.us> To: freebsd-pf@freebsd.org Subject: Fwd: Fwd: NAT for use with OpenVPN Message-ID: <CAMnCm8juj8uPuqfDXWu4rOPjbiK0xrsUUrQn002R639RepQOWg@mail.gmail.com> In-Reply-To: <CAMnCm8i-UOAZoyERUWM%2B38sPvWcwevqM6LBgRGeM8nXjgnbVtQ@mail.gmail.com> References: <mailman.6.1573387200.62111.freebsd-pf@freebsd.org> <CAMnCm8gO%2BdZwEKdM3iKwrNoxNDZmFZ8EUo=Mrh0%2BOQ%2BSE_SO8w@mail.gmail.com> <1cebcd5e-d9ed-53db-2d01-c8794933d1c4@pp.dyndns.biz> <80ec074d-7a5d-7016-57e4-f607384d0e20@pp.dyndns.biz> <CAMnCm8iz7DcgTM_tPR5ZGZQwPXXcahVbyqw0Wzufkr93xVszpg@mail.gmail.com> <CAMnCm8jZH8ZULq8CKeZF_t4eBEBH5QAsaPKBtxK0WCWGe_OXDA@mail.gmail.com> <ba536474-57b4-37b0-d076-a1c4561d181e@pp.dyndns.biz> <CAP9XWJm2gAC0VjTejP08X0T8ar_ZS1e7PqjAy8iOMRhfBU_3mA@mail.gmail.com> <6bc9b8ce-3ab3-2b57-510d-67ace0a90259@pp.dyndns.biz> <30f8da8a-de96-f737-fef8-820c6ae2ed16@pp.dyndns.biz> <CAMnCm8i-UOAZoyERUWM%2B38sPvWcwevqM6LBgRGeM8nXjgnbVtQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
---------- Forwarded message --------- From: Phil Staub <phil@staub.us> Date: Mon, Nov 11, 2019 at 8:47 PM Subject: Re: Fwd: NAT for use with OpenVPN To: Morgan Wesstr=C3=B6m <freebsd-database@pp.dyndns.biz> On Mon, Nov 11, 2019 at 5:15 PM Morgan Wesstr=C3=B6m < freebsd-database@pp.dyndns.biz> wrote: > Phil, > > I did some more testing in my own environment and you should be able to > ping the following addresses from your connected client. It probably > breaks down at some point and you need to tell me where: > > 10.8.0.6 (or whatever ip your vpn client receives) > 10.8.0.1 (server endpoint of vpn tunnel) > 192.168.1.200 (your FreeBSD LAN address) > 192.168.1.1 (LAN side of your router) > > This was very much along the lines of what I had already planned to try. = I also pinged my public IP address 67.175.144.37. Next ping test would be an address on the Internet like google.dns > (8.8.8.8) This is the ONLY ping that fails. :-( > . > > Looking at the Netgear support forums, some people claim Netgear routers > only does NAT for the subnet on its LAN interface while others claim it > does NAT for any subnet. I checked the manual for your router but it > doesn't explicitly say anything on this matter so this is still an unknow= n I've spent a little time trying to find out how to get a routing table from the router. I haven't had a lot of time to look, but I'm going to look a little more after what I've found so far. > . > > We didn't discuss the client side config. I will show you mine below > with the server address obfuscated. You need to replace it with your > router WAN ip. > > client > dev tun > proto udp > remote ***.***.***.*** 1194 > resolv-retry infinite > nobind > persist-key > persist-tun > ca ca.crt > cert client1.crt > key client1.key > ns-cert-type server > verb 4 > > My client side configs are very similar. I think the only differences are irrelevant or necessitated by the server-side config (cipher option) netstat -rn and ifconfig -a (ipconfig /all on Windows) from the > connected client would be useful to further track down the problem if > you can't resolve it. > I'm not a Windows fan, but since I have a Win10 laptop I use for stuff that only runs on Windows, so I'll hold my nose and try some troubleshooting from there. :-( Here is the Windows Iipconfig: Windows IP Configuration Host Name . . . . . . . . . . . . : Han Primary Dns Suffix . . . . . . . : staub.us Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : staub.us Ethernet adapter Ethernet: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller Physical Address. . . . . . . . . : D0-17-C2-0B-E3-28 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Unknown adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : TAP-Windows Adapter V9 Physical Address. . . . . . . . . : 00-FF-A2-CF-90-6F DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::641d:f1e3:ff36:891e%14(Preferred) IPv4 Address. . . . . . . . . . . : 10.8.0.5(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.252 Lease Obtained. . . . . . . . . . : Monday, November 11, 2019 7:31:43 PM Lease Expires . . . . . . . . . . : Tuesday, November 10, 2020 7:31:42 P= M Default Gateway . . . . . . . . . : DHCP Server . . . . . . . . . . . : 10.8.0.6 DHCPv6 IAID . . . . . . . . . . . : 318832546 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-DF-60-8C-D0-17-C2-0B-E3-28 DNS Servers . . . . . . . . . . . : 1.1.1.1 NetBIOS over Tcpip. . . . . . . . : Enabled Wireless LAN adapter Local Area Connection* 2: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter Physical Address. . . . . . . . . : 48-45-20-50-78-AB DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Wireless LAN adapter Local Area Connection* 13: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter #2 Physical Address. . . . . . . . . : 4A-45-20-50-78-AA DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Wireless LAN adapter Wi-Fi: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 7265 Physical Address. . . . . . . . . : 48-45-20-50-78-AA DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::1002:e557:a388:1315%13(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.1.5(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Sunday, November 10, 2019 11:06:24 P= M Lease Expires . . . . . . . . . . : Tuesday, November 12, 2019 11:06:23 AM Default Gateway . . . . . . . . . : 192.168.1.1 DHCP Server . . . . . . . . . . . : 192.168.1.1 DHCPv6 IAID . . . . . . . . . . . : 38290720 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-DF-60-8C-D0-17-C2-0B-E3-28 DNS Servers . . . . . . . . . . . : 192.168.1.1 NetBIOS over Tcpip. . . . . . . . : Enabled (I notice there is no default gateway specified for the TUN interface. I'll have to look into that.) And the routing table: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Interface List 18...d0 17 c2 0b e3 28 ......Realtek PCIe GBE Family Controller 14...00 ff a2 cf 90 6f ......TAP-Windows Adapter V9 15...48 45 20 50 78 ab ......Microsoft Wi-Fi Direct Virtual Adapter 9...4a 45 20 50 78 aa ......Microsoft Wi-Fi Direct Virtual Adapter #2 13...48 45 20 50 78 aa ......Intel(R) Dual Band Wireless-AC 7265 1...........................Software Loopback Interface 1 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D IPv4 Route Table =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.5 35 0.0.0.0 128.0.0.0 10.8.0.6 10.8.0.5 281 10.8.0.1 255.255.255.255 10.8.0.6 10.8.0.5 281 10.8.0.4 255.255.255.252 On-link 10.8.0.5 281 10.8.0.5 255.255.255.255 On-link 10.8.0.5 281 10.8.0.7 255.255.255.255 On-link 10.8.0.5 281 67.175.144.37 255.255.255.255 192.168.1.1 192.168.1.5 291 127.0.0.0 255.0.0.0 On-link 127.0.0.1 331 127.0.0.1 255.255.255.255 On-link 127.0.0.1 331 127.255.255.255 255.255.255.255 On-link 127.0.0.1 331 128.0.0.0 128.0.0.0 10.8.0.6 10.8.0.5 281 192.168.1.0 255.255.255.0 On-link 192.168.1.5 291 192.168.1.0 255.255.255.0 10.8.0.6 10.8.0.5 281 192.168.1.5 255.255.255.255 On-link 192.168.1.5 291 192.168.1.255 255.255.255.255 On-link 192.168.1.5 291 224.0.0.0 240.0.0.0 On-link 127.0.0.1 331 224.0.0.0 240.0.0.0 On-link 10.8.0.5 281 224.0.0.0 240.0.0.0 On-link 192.168.1.5 291 255.255.255.255 255.255.255.255 On-link 127.0.0.1 331 255.255.255.255 255.255.255.255 On-link 10.8.0.5 281 255.255.255.255 255.255.255.255 On-link 192.168.1.5 291 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Persistent Routes: None IPv6 Route Table =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Active Routes: If Metric Network Destination Gateway 1 331 ::1/128 On-link 14 281 fe80::/64 On-link 13 291 fe80::/64 On-link 13 291 fe80::1002:e557:a388:1315/128 On-link 14 281 fe80::641d:f1e3:ff36:891e/128 On-link 1 331 ff00::/8 On-link 14 281 ff00::/8 On-link 13 291 ff00::/8 On-link =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Persistent Routes: None > P.S. You have a .201 alias on the FreeBSD machine. It shouldn't > interfere but I just wanted to make sure you were aware of it and had a > reason for it. > > Yes, it's known and I was wondering if YOU would be wondering about it. I have a PLEX server running in a jail on the same machine the OpenVPN server is on, and that is the .201 address. Once I get things working on the non-jail version, I'll build another jail for the OpenVPN process. /Morgan > I'll update when I have more info about the router's routing table and the default gateway . Thanks, Phil _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAMnCm8juj8uPuqfDXWu4rOPjbiK0xrsUUrQn002R639RepQOWg>