Date: Sat, 9 Nov 2019 14:02:02 -0500 From: Phil Staub <phil@staub.us> To: freebsd-pf@freebsd.org Subject: Re: NAT for use with OpenVPN Message-ID: <CAMnCm8hQFC3PmJfRU5x_07zLZjUwKtXMGCSf6B-N4K6kR14Bgg@mail.gmail.com> In-Reply-To: <CAMnCm8jmZJ6r8f_byUUMOmPr%2B3QeH_xB1zCx_SD%2BHvc2YF55Vw@mail.gmail.com> References: <CAMnCm8jmZJ6r8f_byUUMOmPr%2B3QeH_xB1zCx_SD%2BHvc2YF55Vw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Further investigation suggests that I needed to add client-config-dir to my
OpenVPN server.conf file and create a client file with ifconfig-push in it
to eliminate the 'bad source address" warning. However, I am still unable
to get the NAT to work. I've been staring at the PF chapter in the
handbook, and I can't get a good handle on how the example they provide
works so that I can modify it for my use.
Here is the example I'm trying to parse:
ext_if = "xl0" # macro for external interface - use tun0 for PPPoE
int_if = "xl1" # macro for internal interface
localnet = $int_if:network
# ext_if IP address could be dynamic, hence ($ext_if)
nat on $ext_if from $localnet to any -> ($ext_if)
block all
pass from { lo0, $localnet } to any keep state
In my case, I'm using "tun0" as the internal interface and "em0" as the
external interface. I also specify the (fixed) address of my server on my
local address.
However, this is clearly not what is needed, because the 'block all' locks
out everything trying to access the server machine from other machines on
the local net.
So I removed the 'block all'. I also made a couple of other modifications.
Here's what I have now:
ext_if = "em0" # macro for external interface - use tun0 for PPPoE
int_if = "tun0" # macro for internal interface
localnet = $int_if:network
nat on $ext_if from $localnet to any -> <server's IP>
pass from $localnet to any keep state
This seems to be working, except that I get some warnings in the OpenVPN
log about "PID_ERR replay-window backtrack occurred [1] [SSL-0]"
Three questions:
1. Is this error something I need to be concerned about?
2. Since the router I have between the server machine and the internet has
a firewall, do I need to worry about any other rules in the pf ruleset?
(i.e. is it safe to use my modified version of the handbook example?)
3. I don't intend to change the server machine's IP address, so I
eliminated the "($ext_if)" and replaced it with the server's static
address. Using the ($ext_if) and running pfctl -vnf /etc/pf.conf results in
reporting "(em0) round robin" instead of the actual IP of the server. This
seems to work, but is it really necessary?
Thanks,
Phil
On Thu, Nov 7, 2019 at 3:48 PM Phil Staub <phil@staub.us> wrote:
> I'm attempting to set up OpenVPN on a FreeBSD 12.1-RELEASE box. I'd like
> for it to allow remote clients to access the internet via the server box's
> connection. It appears that OpenVPN is working, because new connections are
> logged, but I also get this message in the log:
>
> Thu Nov 7 15:43:17 2019 us=289157 han/67.175.144.37:61307 MULTI: bad
> source address from client [::], packet dropped
>
> And the attached client doesn't have internet access.
>
> SO, I'm assuming I need to set up PF to NAT between tun0 and em0.
>
> I tried looking in the FreeBSD handbook in the chapter on PF, but that's
> like drinking from a fire hose, and I'm sure there is much more detail
> there than I need to know.
>
> Can someone point me to a concise description of how to achieve this?
>
> Thanks,
> Phil
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAMnCm8hQFC3PmJfRU5x_07zLZjUwKtXMGCSf6B-N4K6kR14Bgg>