I blogged: OpenVPN, pf and alias-IP-adresses t.co/ddyp5SUlZ…
OpenVPN, pf and alias-IP-adresses
Recently I had to build an OpenVPN-server on a FreeBSD-machine that uses already port 443. But I wanted to use port 443 because its reachability is usually guaranteed. So I added a second IP-address to the interface. Let’s say for this example the adresses are 10.10.10.1 and 10.10.10.2[footnote]Yes, I know…the original host has routable adresses there[/footnote]. And then I followed the few hints I found on the net for NATing through the interface. Since it is FreeBSD and I have pf available, I use it of course. And after that I opened up certain hosts to 10.10.10.2 on the other hosts.
What is the rule you find when you google?
nat on $ext_if inet from $vpn_clients to any -> $ext_if
ext_if is your interface to the outside world. In my case the one with the two IP-adresses. $vpn_clients is the openvpn-network[footnote]by default 10.8.0.0/24[/footnote].
And then I was up to a surprise. When I connected to the VPN and then tried to connect to the hosts I wanted to reach through the NAT via ssh the following happened: ssh host1 - connection denied, ssh host1 - please log in. If I waited a short moment instead of trying to connect immediately a second time the connection was denied again. And some other strange behavior like that was observable.
What happend? FreeBSD NATed all the time through either address 1 or address 2 but never through the same.
What you can do is define the address for the NATing you want to rewrite to. So it becomes:
nat on $ext_if inet from $vpn_clients to any -> $vpn_nat_ip
In this case vpn_nat_ip is 10.10.10.2.
Another side-note: you don’t want to add a second interface for the second IP-address but use an alias-IP on the first network card. Otherwise you have to start use routing tables etc. for getting your traffic correctly moved through your system.
I recently built by accident a Nazi-OpenVPN. Its network was 10.8.8.0/24 m) I changed it now to 10.8.7.0…
Aber warum zur Hölle mit dem üblen Atari 2600-Pacman bebildert‽ t.co/GXS1WtAMa…
TIL: es gibt Busstationen im Bereich A in Berlin mit 30 Min-Taktung tagsüber innerhalb der Woche. Der Bus hat 13 Sitzplätze… t.co/UxHcZPq8f…
Das ist so nen Saft/Fruchtsaftgetränk/Nektar-Ding, oder?
Jetzt überlegt wie viele Leute wieviel Zeit damit verbracht haben das umzusetzen… t.co/l1MA9jORK…
Is there a pacifist run of Wolfenstein @GamesDoneQuick? t.co/n9YDFo7W6…
iOS-apps sync with iCloud or Dropbox. I thought this cloud location stuff isn’t that hard to integrate… I want to sync with Working Copy
Current state: looking into a book about shell scripts and I wonder which she’ll they use. sh or do I need bash? How about other shells?
Current state: looking into a book about shell scripts and I wonder which she’ll they use. sh or do I need bash? How about other shells?
And I opened up a third branch for my dotfiles. Now I have to figure out, what the easiest way is to bring single files into all branches
Btw. what’s next for Trump? Increasing the no. of nukes the US has, war with with some country because of the trade deficit, anything else?
There is atc (air traffic controller game) in the base of #OpenBSD Where can I find it for #FreeBSD and #Linux?