> Ah, you have a standalone SOHO router. That changes things drastically. :) > > Exactly!
> I assume the computers on your LAN (including FreeBSD) have private IP > addresses (192.168.x.x)? In that case your Netgear router is doing the > NAT for you and you don't need to worry about that part. > > Yes. I know it's lazy, but I left the local subnet as the route default of 192.168.1.0/24. All of my local hosts are on that subnet. . I'm PARTIALLY in agreement here.The OpenVPN clients are being assigned 10.8.0.x addresses. Somehow, those addresses need to be translated into the OpenVPN server's address to provide their access to the internet. - You need to forward port 1194/udp (or whatever you chose for OpenVPN) > in your Netgear router so it points to the IP address of your FreeBSD > machine. Consult the router's manual how to do port forwarding. > > This is done and appears to be working fine, because the OpenVPN log registers 10.8.0.x connections when they come in. - The firewall in the Netgear router also needs to allow incoming > connections on this port. It's probably setup along with the port > forwarding but once again you need to consult the Netgear manual. > The firewall isn't configurable on this router. But as I mentioned above, it obviously takes the configured forwarded port as an indication that it needs to allow that connection through to the local net. > - You can disable pf on your FreeBSD machine unless you absolutely want > an extra firewall to protect it. I strongly suggest you disable it at > this point though until you have the OpenVPN server running. It's > protected behind your Netgear router I don't care about the firewalling capabilities of PF in this case. I only use it to establish the connection between the 10.8.0.0/24 and 192.168.1.0/24 subnets. I fully accept the possibility that I have a misconception about what is necessary here, but without doing SOMETHING, the 10.8.0.x connections make it to OpenVPN and go no further. . > > So to sum up: > > - Configure firewall and port forwarding in your Netgear router. > > Done > - Configure the OpenVPN server on FreeBSD. > > At least partially done. One caveat to look out for: > > I'm not familiar with your Arris modem. Make sure it doesn't do routing > and NAT too so you have two layers of NAT since that would complicate > things. Make sure your modem is in bridge mode and that your Netgear > router has a public IP address on the interface connected to the modem. > > The modem doesn't do NAT. The WAN side of the router has a public ip, and there is nothing else on the connection between the modem and the router. Regards > Morgan > > > > > > > Phil, I forgot... > > OpenVPN needs its own subnet in the config file. Make sure you don't use > the same subnet as your LAN uses because that would confuse the routing > and could result in the behaviour you describe in your initial post. > Data would reach the server but return packets wouldn't find their way > back onto the Internet. > > This may be the crux of the matter. I'm not sure I know how I would set this up. > I would need to see your OpenVPN config and details about the subnets > you use to spot any errors. > Here is my OpenVPN config: local 192.168.1.200 port 1194 proto udp dev tun ca /usr/local/etc/openvpn/ca.crt cert /usr/local/etc/openvpn/server.crt dh /usr/local/etc/openvpn/dh2048.pem topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.1.0 255.255.255.0" client-config-dir /usr/local/etc/openvpn/ccd route 10.8.0.0 255.255.255.0 push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 1.1.1.1" keepalive 10 120 cipher AES-256-CBC persist-key persist-tun status openvpn-status.log log openvpn.log log-append openvpn.log verb 4 explicit-exit-notify 1zzz > /Morgan > > Thanks, Morgan! Phil _______________________________________________ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"