Do packets with 10.8.0.x addresses ever actually make it on the wire
between the router and the OpenVPN server? I was under the impression that
the encrypted packets created a tunnel at which the IP address is only
known at the endpoints, which means the OpenVPN client and server
processes, and nothing in between has any access to anything that is going
on within the tunnel. If this is the case, I wouldn't think the router
needs to know how to deal with 10.8.0.x packets.

Furthermore, this pretty much HAS to be the case. The 10.8.0.x addresses
can't be routed across the internet, so the only way they could exist on my
private network would be as a result of NATing on the part of the router,
and I'm pretty sure this isn't happening.

But then this re-opens the question of how the connection happens between
the server end of the tunnel (10.8.0.1) and the public interface at
192.168.1.200. It would seem that there needs to be some routing
information within OpenVPN that makes that connection.

Am I way off here?

Phil

Look at it this way. The VPN software has the same effect as if the client was located in your house and directly connected with a cable to your 10.8.0.0/24 subnet. Any configuration to support this must be done on the FreeBSD machine as well as your router. The router will definitely see the 10.8.0.0/24 addresses on its LAN interface but as you note, these addresses will never show up on the external interface. Your NAT will exchange these addresses on the fly and any traffic between the OpenVPN endpoints will be encrypted and encapsulated in another ip packet where only the external public ip addresses are shown.

At this point I started to write a detailed description of how a packet is transferred from your client over the VPN tunnel and then onto the Internet and to its destination but it got overly complicated and probably won't help you at this point. :) Let's instead start to get some more info from your network. When your client is connected, can you please provide the output of the following commands on both the client and the FreeBSD machine?

# ifconfig -a

# netstat -rn

I need to see how the ip stack is configured on each machine and how the routing tables look.

/Morgan
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Reply via email to