Dear list members
I've got a small problem with my obenbsd based vpn gateway.
There are 2 physical interfaces (vr0 <- wan, vr1 <- lan) and the openvpn
tunnel interface (tun0)
VPN clients have an ip address assigned out of the range 10.176.3.0/24,
LAN clients out of the range 10.176.0.0/23.
Now I'd like to NAT the VPN clients to the LAN address of the gateway
(10.176.0.1) (There are clients in the network whitout a default gateway
and I do not want to add the 10.176.3.0/24 route to every device in the
network).
I thought that this is an easy task to accomplish but I do not get the
nat tun0->vr1 working:
My pf configuration is:
wan_if = "vr0"
lan_if = "vr1"
vpn_if = "tun0"
lan_net = $lan_if:network
vpn_net = "10.176.3.0/24"
pass quick on lo0
block return log on $wan_if all
pass out on $wan_if proto icmp all keep state
pass on $wan_if inet proto icmp all icmp-type 8 code 0
pass out on $wan_if proto udp all keep state
pass in on $wan_if proto udp from any to any port { 53 123 1194 }
pass out on $wan_if proto tcp all modulate state
pass in on $wan_if proto tcp from any to any port { 22 64321 }
match out on $wan_if from ($lan_net) nat-to ($wan_if:0)
match out on $lan_if from $vpn_net nat-to ($lan_if:0)
tcpdump:
tcpdump -i vr1
'icmp'
tcpdump: listening on vr1, link-type EN10MB
15:34:30.524786 10.176.3.6 > 10.176.0.4: icmp: echo request (DF)
15:34:31.520010 10.176.3.6 > 10.176.0.4: icmp: echo request (DF)
15:34:32.515313 10.176.3.6 > 10.176.0.4: icmp: echo request (DF)
Anyone an idea what i miss?
regards andre
