Further investigation suggests that I needed to add client-config-dir to my OpenVPN server.conf file and create a client file with ifconfig-push in it to eliminate the 'bad source address" warning. However, I am still unable to get the NAT to work. I've been staring at the PF chapter in the handbook, and I can't get a good handle on how the example they provide works so that I can modify it for my use.
Here is the example I'm trying to parse: ext_if = "xl0" # macro for external interface - use tun0 for PPPoE int_if = "xl1" # macro for internal interface localnet = $int_if:network # ext_if IP address could be dynamic, hence ($ext_if) nat on $ext_if from $localnet to any -> ($ext_if) block all pass from { lo0, $localnet } to any keep state In my case, I'm using "tun0" as the internal interface and "em0" as the external interface. I also specify the (fixed) address of my server on my local address. However, this is clearly not what is needed, because the 'block all' locks out everything trying to access the server machine from other machines on the local net. So I removed the 'block all'. I also made a couple of other modifications. Here's what I have now: ext_if = "em0" # macro for external interface - use tun0 for PPPoE int_if = "tun0" # macro for internal interface localnet = $int_if:network nat on $ext_if from $localnet to any -> <server's IP> pass from $localnet to any keep state This seems to be working, except that I get some warnings in the OpenVPN log about "PID_ERR replay-window backtrack occurred [1] [SSL-0]" Three questions: 1. Is this error something I need to be concerned about? 2. Since the router I have between the server machine and the internet has a firewall, do I need to worry about any other rules in the pf ruleset? (i.e. is it safe to use my modified version of the handbook example?) 3. I don't intend to change the server machine's IP address, so I eliminated the "($ext_if)" and replaced it with the server's static address. Using the ($ext_if) and running pfctl -vnf /etc/pf.conf results in reporting "(em0) round robin" instead of the actual IP of the server. This seems to work, but is it really necessary? Thanks, Phil On Thu, Nov 7, 2019 at 3:48 PM Phil Staub <p...@staub.us> wrote: > I'm attempting to set up OpenVPN on a FreeBSD 12.1-RELEASE box. I'd like > for it to allow remote clients to access the internet via the server box's > connection. It appears that OpenVPN is working, because new connections are > logged, but I also get this message in the log: > > Thu Nov 7 15:43:17 2019 us=289157 han/67.175.144.37:61307 MULTI: bad > source address from client [::], packet dropped > > And the attached client doesn't have internet access. > > SO, I'm assuming I need to set up PF to NAT between tun0 and em0. > > I tried looking in the FreeBSD handbook in the chapter on PF, but that's > like drinking from a fire hose, and I'm sure there is much more detail > there than I need to know. > > Can someone point me to a concise description of how to achieve this? > > Thanks, > Phil > > _______________________________________________ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"