BSD, Computer

OpenVPN, pf and alias-IP-adresses

Recently I had to build an OpenVPN-server on a FreeBSD-machine that uses already port 443. But I wanted to use port 443 because its reachability is usually guaranteed. So I added a second IP-address to the interface. Let’s say for this example the adresses are 10.10.10.1 and 10.10.10.21. And then I followed the few hints I found on the net for NATing through the interface. Since it is FreeBSD and I have pf available, I use it of course. And after that I opened up certain hosts to 10.10.10.2 on the other hosts.

What is the rule you find when you google?

nat on $ext_if inet from $vpn_clients to any -> $ext_if

ext_if is your interface to the outside world. In my case the one with the two IP-adresses. $vpn_clients is the openvpn-network2.

And then I was up to a surprise. When I connected to the VPN and then tried to connect to the hosts I wanted to reach through the NAT via ssh the following happened: ssh host1 – connection denied, ssh host1 – please log in. If I waited a short moment instead of trying to connect immediately a second time the connection was denied again. And some other strange behavior like that was observable.

What happend? FreeBSD NATed all the time through either address 1 or address 2 but never through the same.

What you can do is define the address for the NATing you want to rewrite to. So it becomes:

nat on $ext_if inet from $vpn_clients to any -> $vpn_nat_ip

In this case vpn_nat_ip is 10.10.10.2.

Another side-note: you don’t want to add a second interface for the second IP-address but use an alias-IP on the first network card. Otherwise you have to start use routing tables etc. for getting your traffic correctly moved through your system.


  1. Yes, I know…the original host has routable adresses there

  2. by default 10.8.0.0/24

Leave a Reply

Your email address will not be published. Required fields are marked *