Recently I had to build an OpenVPN-server on a FreeBSD-machine that uses already port 443. But I wanted to use port 443 because its reachability is usually guaranteed. So I added a second IP-address to the interface. Let’s say for this example the adresses are 10.10.10.1 and 10.10.10.21. And then I followed the few hints I found on the net for NATing through the interface. Since it is FreeBSD and I have pf available, I use it of course. And after that I opened up certain hosts to 10.10.10.2 on the other hosts.
What is the rule you find when you google?
nat on $ext_if inet from $vpn_clients to any -> $ext_if
ext_if is your interface to the outside world. In my case the one with the two IP-adresses. $vpn_clients is the openvpn-network2.
And then I was up to a surprise. When I connected to the VPN and then tried to connect to the hosts I wanted to reach through the NAT via ssh the following happened: ssh host1 – connection denied, ssh host1 – please log in. If I waited a short moment instead of trying to connect immediately a second time the connection was denied again. And some other strange behavior like that was observable.
What happend? FreeBSD NATed all the time through either address 1 or address 2 but never through the same.
What you can do is define the address for the NATing you want to rewrite to. So it becomes:
nat on $ext_if inet from $vpn_clients to any -> $vpn_nat_ip
In this case vpn_nat_ip is 10.10.10.2.
Another side-note: you don’t want to add a second interface for the second IP-address but use an alias-IP on the first network card. Otherwise you have to start use routing tables etc. for getting your traffic correctly moved through your system.