---------- Forwarded message --------- From: Phil Staub <p...@staub.us> Date: Mon, Nov 11, 2019 at 8:47 PM Subject: Re: Fwd: NAT for use with OpenVPN To: Morgan Wesström <freebsd-datab...@pp.dyndns.biz>
On Mon, Nov 11, 2019 at 5:15 PM Morgan Wesström < freebsd-datab...@pp.dyndns.biz> wrote: > Phil, > > I did some more testing in my own environment and you should be able to > ping the following addresses from your connected client. It probably > breaks down at some point and you need to tell me where: > > 10.8.0.6 (or whatever ip your vpn client receives) > 10.8.0.1 (server endpoint of vpn tunnel) > 192.168.1.200 (your FreeBSD LAN address) > 192.168.1.1 (LAN side of your router) > > This was very much along the lines of what I had already planned to try. I also pinged my public IP address 67.175.144.37. Next ping test would be an address on the Internet like google.dns > (8.8.8.8) This is the ONLY ping that fails. :-( > . > > Looking at the Netgear support forums, some people claim Netgear routers > only does NAT for the subnet on its LAN interface while others claim it > does NAT for any subnet. I checked the manual for your router but it > doesn't explicitly say anything on this matter so this is still an unknown I've spent a little time trying to find out how to get a routing table from the router. I haven't had a lot of time to look, but I'm going to look a little more after what I've found so far. > . > > We didn't discuss the client side config. I will show you mine below > with the server address obfuscated. You need to replace it with your > router WAN ip. > > client > dev tun > proto udp > remote ***.***.***.*** 1194 > resolv-retry infinite > nobind > persist-key > persist-tun > ca ca.crt > cert client1.crt > key client1.key > ns-cert-type server > verb 4 > > My client side configs are very similar. I think the only differences are irrelevant or necessitated by the server-side config (cipher option) netstat -rn and ifconfig -a (ipconfig /all on Windows) from the > connected client would be useful to further track down the problem if > you can't resolve it. > I'm not a Windows fan, but since I have a Win10 laptop I use for stuff that only runs on Windows, so I'll hold my nose and try some troubleshooting from there. :-( Here is the Windows Iipconfig: Windows IP Configuration Host Name . . . . . . . . . . . . : Han Primary Dns Suffix . . . . . . . : staub.us Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : staub.us Ethernet adapter Ethernet: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller Physical Address. . . . . . . . . : D0-17-C2-0B-E3-28 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Unknown adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : TAP-Windows Adapter V9 Physical Address. . . . . . . . . : 00-FF-A2-CF-90-6F DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::641d:f1e3:ff36:891e%14(Preferred) IPv4 Address. . . . . . . . . . . : 10.8.0.5(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.252 Lease Obtained. . . . . . . . . . : Monday, November 11, 2019 7:31:43 PM Lease Expires . . . . . . . . . . : Tuesday, November 10, 2020 7:31:42 PM Default Gateway . . . . . . . . . : DHCP Server . . . . . . . . . . . : 10.8.0.6 DHCPv6 IAID . . . . . . . . . . . : 318832546 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-DF-60-8C-D0-17-C2-0B-E3-28 DNS Servers . . . . . . . . . . . : 1.1.1.1 NetBIOS over Tcpip. . . . . . . . : Enabled Wireless LAN adapter Local Area Connection* 2: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter Physical Address. . . . . . . . . : 48-45-20-50-78-AB DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Wireless LAN adapter Local Area Connection* 13: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter #2 Physical Address. . . . . . . . . : 4A-45-20-50-78-AA DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Wireless LAN adapter Wi-Fi: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 7265 Physical Address. . . . . . . . . : 48-45-20-50-78-AA DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::1002:e557:a388:1315%13(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.1.5(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Sunday, November 10, 2019 11:06:24 PM Lease Expires . . . . . . . . . . : Tuesday, November 12, 2019 11:06:23 AM Default Gateway . . . . . . . . . : 192.168.1.1 DHCP Server . . . . . . . . . . . : 192.168.1.1 DHCPv6 IAID . . . . . . . . . . . : 38290720 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-DF-60-8C-D0-17-C2-0B-E3-28 DNS Servers . . . . . . . . . . . : 192.168.1.1 NetBIOS over Tcpip. . . . . . . . : Enabled (I notice there is no default gateway specified for the TUN interface. I'll have to look into that.) And the routing table: =========================================================================== Interface List 18...d0 17 c2 0b e3 28 ......Realtek PCIe GBE Family Controller 14...00 ff a2 cf 90 6f ......TAP-Windows Adapter V9 15...48 45 20 50 78 ab ......Microsoft Wi-Fi Direct Virtual Adapter 9...4a 45 20 50 78 aa ......Microsoft Wi-Fi Direct Virtual Adapter #2 13...48 45 20 50 78 aa ......Intel(R) Dual Band Wireless-AC 7265 1...........................Software Loopback Interface 1 =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.5 35 0.0.0.0 128.0.0.0 10.8.0.6 10.8.0.5 281 10.8.0.1 255.255.255.255 10.8.0.6 10.8.0.5 281 10.8.0.4 255.255.255.252 On-link 10.8.0.5 281 10.8.0.5 255.255.255.255 On-link 10.8.0.5 281 10.8.0.7 255.255.255.255 On-link 10.8.0.5 281 67.175.144.37 255.255.255.255 192.168.1.1 192.168.1.5 291 127.0.0.0 255.0.0.0 On-link 127.0.0.1 331 127.0.0.1 255.255.255.255 On-link 127.0.0.1 331 127.255.255.255 255.255.255.255 On-link 127.0.0.1 331 128.0.0.0 128.0.0.0 10.8.0.6 10.8.0.5 281 192.168.1.0 255.255.255.0 On-link 192.168.1.5 291 192.168.1.0 255.255.255.0 10.8.0.6 10.8.0.5 281 192.168.1.5 255.255.255.255 On-link 192.168.1.5 291 192.168.1.255 255.255.255.255 On-link 192.168.1.5 291 224.0.0.0 240.0.0.0 On-link 127.0.0.1 331 224.0.0.0 240.0.0.0 On-link 10.8.0.5 281 224.0.0.0 240.0.0.0 On-link 192.168.1.5 291 255.255.255.255 255.255.255.255 On-link 127.0.0.1 331 255.255.255.255 255.255.255.255 On-link 10.8.0.5 281 255.255.255.255 255.255.255.255 On-link 192.168.1.5 291 =========================================================================== Persistent Routes: None IPv6 Route Table =========================================================================== Active Routes: If Metric Network Destination Gateway 1 331 ::1/128 On-link 14 281 fe80::/64 On-link 13 291 fe80::/64 On-link 13 291 fe80::1002:e557:a388:1315/128 On-link 14 281 fe80::641d:f1e3:ff36:891e/128 On-link 1 331 ff00::/8 On-link 14 281 ff00::/8 On-link 13 291 ff00::/8 On-link =========================================================================== Persistent Routes: None > P.S. You have a .201 alias on the FreeBSD machine. It shouldn't > interfere but I just wanted to make sure you were aware of it and had a > reason for it. > > Yes, it's known and I was wondering if YOU would be wondering about it. I have a PLEX server running in a jail on the same machine the OpenVPN server is on, and that is the .201 address. Once I get things working on the non-jail version, I'll build another jail for the OpenVPN process. /Morgan > I'll update when I have more info about the router's routing table and the default gateway . Thanks, Phil _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org" > _______________________________________________ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"