Do packets with 10.8.0.x addresses ever actually make it on the wire
between the router and the OpenVPN server? I was under the impression that
the encrypted packets created a tunnel at which the IP address is only
known at the endpoints, which means the OpenVPN client and server
processes, and nothing in between has any access to anything that is going
on within the tunnel. If this is the case, I wouldn't think the router
needs to know how to deal with 10.8.0.x packets.
Furthermore, this pretty much HAS to be the case. The 10.8.0.x addresses
can't be routed across the internet, so the only way they could exist on my
private network would be as a result of NATing on the part of the router,
and I'm pretty sure this isn't happening.
But then this re-opens the question of how the connection happens between
the server end of the tunnel (10.8.0.1) and the public interface at
192.168.1.200. It would seem that there needs to be some routing
information within OpenVPN that makes that connection.
Am I way off here?
Phil
Look at it this way. The VPN software has the same effect as if the
client was located in your house and directly connected with a cable to
your 10.8.0.0/24 subnet. Any configuration to support this must be done
on the FreeBSD machine as well as your router. The router will
definitely see the 10.8.0.0/24 addresses on its LAN interface but as you
note, these addresses will never show up on the external interface. Your
NAT will exchange these addresses on the fly and any traffic between the
OpenVPN endpoints will be encrypted and encapsulated in another ip
packet where only the external public ip addresses are shown.
At this point I started to write a detailed description of how a packet
is transferred from your client over the VPN tunnel and then onto the
Internet and to its destination but it got overly complicated and
probably won't help you at this point. :) Let's instead start to get
some more info from your network. When your client is connected, can you
please provide the output of the following commands on both the client
and the FreeBSD machine?
# ifconfig -a
# netstat -rn
I need to see how the ip stack is configured on each machine and how the
routing tables look.
/Morgan
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
