Niels K. logo Niels K.

One of these days I will not only delete the Twitter-client from my phone but will go cold turkey and also delete my accounts…

Did the BSDs see any significant growth since systemd?

I actually like systemd but the stuff that’s coming up recently makes it more and more unlikeable. Well, I want to move to some BSD anyways…

I search a good science fiction-book. Suggestions? Last books I enjoyed: All Systems Red, Neptune’s Brood, Walkaway, Homeland,Nexus-trilogy

OpenVPN, pf and alias-IP-adresses

Recently I had to build an OpenVPN-server on a FreeBSD-machine that uses already port 443. But I wanted to use port 443 because its reachability is usually guaranteed. So I added a second IP-address to the interface. Let’s say for this example the adresses are 10.10.10.1 and 10.10.10.2[footnote]Yes, I know…the original host has routable adresses there[/footnote]. And then I followed the few hints I found on the net for NATing through the interface. Since it is FreeBSD and I have pf available, I use it of course. And after that I opened up certain hosts to 10.10.10.2 on the other hosts.

What is the rule you find when you google?

nat on $ext_if inet from $vpn_clients to any -> $ext_if

ext_if is your interface to the outside world. In my case the one with the two IP-adresses. $vpn_clients is the openvpn-network[footnote]by default 10.8.0.0/24[/footnote].

And then I was up to a surprise. When I connected to the VPN and then tried to connect to the hosts I wanted to reach through the NAT via ssh the following happened: ssh host1 - connection denied, ssh host1 - please log in. If I waited a short moment instead of trying to connect immediately a second time the connection was denied again. And some other strange behavior like that was observable.

What happend? FreeBSD NATed all the time through either address 1 or address 2 but never through the same.

What you can do is define the address for the NATing you want to rewrite to. So it becomes:

nat on $ext_if inet from $vpn_clients to any -> $vpn_nat_ip

In this case vpn_nat_ip is 10.10.10.2.

Another side-note: you don’t want to add a second interface for the second IP-address but use an alias-IP on the first network card. Otherwise you have to start use routing tables etc. for getting your traffic correctly moved through your system.

I recently built by accident a Nazi-OpenVPN. Its network was 10.8.8.0/24 m) I changed it now to 10.8.7.0…