One additional thing. If you by any chance want to communicate with any of the other machines on your LAN from the VPN clients (not just Internet access), you need to add a static route for 10.8.0.0/24 pointing to 192.168.1.200 IN YOUR NETGEAR ROUTER or they won't know where to send their replies. Preferably you'd add such a route to each of your LAN machines but it's not strictly necessary since they will send any 10.8.0.0/24 packets to your router which then will route it back properly to your FreeBSD machine. This shouldn't be needed for the basic OpenVPN communication though since as far as your router is concerned, this only involves pushing udp packets to 192.168.1.200 and it already knows how to reach that ip.


I need to correct myself here. You absolutely MUST have a static route for 10.8.0.0/24 defined in your Netgear router or Internet traffic won't work from your VPN clients. The reason is that when FreeBSD routes these packets from the OpenVPN subnet onto your LAN subnet and onto the Netgear router, the source address of those packets will still have 10.8.0.x in them and the router needs to know where this subnet is to be able to return packets there. This would be much simpler if your FreeBSD machine was working as your router instead of that Netgear router. :)

Another unknown is how the NAT in your Netgear router will respond to source packets coming from a subnet other than its own. Hopefully it will behave properly.

/Morgan


_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Reply via email to