BSD, Computer

OpenVPN, pf and alias-IP-adresses

Recently I had to build an OpenVPN-server on a FreeBSD-machine that uses already port 443. But I wanted to use port 443 because its reachability is usually guaranteed. So I added a second IP-address to the interface. Let’s say for this example the adresses are 10.10.10.1 and 10.10.10.21. And then I followed the few hints I found on the net for NATing through the interface. Since it is FreeBSD and I have pf available, I use it of course. And after that I opened up certain hosts to 10.10.10.2 on the other hosts.

What is the rule you find when you google?

nat on $ext_if inet from $vpn_clients to any -> $ext_if

ext_if is your interface to the outside world. In my case the one with the two IP-adresses. $vpn_clients is the openvpn-network2.

And then I was up to a surprise. When I connected to the VPN and then tried to connect to the hosts I wanted to reach through the NAT via ssh the following happened: ssh host1 – connection denied, ssh host1 – please log in. If I waited a short moment instead of trying to connect immediately a second time the connection was denied again. And some other strange behavior like that was observable.

What happend? FreeBSD NATed all the time through either address 1 or address 2 but never through the same.

What you can do is define the address for the NATing you want to rewrite to. So it becomes:

nat on $ext_if inet from $vpn_clients to any -> $vpn_nat_ip

In this case vpn_nat_ip is 10.10.10.2.

Another side-note: you don’t want to add a second interface for the second IP-address but use an alias-IP on the first network card. Otherwise you have to start use routing tables etc. for getting your traffic correctly moved through your system.


  1. Yes, I know…the original host has routable adresses there

  2. by default 10.8.0.0/24

BSD, Computer, micro

Moved from ports to pkg…besides being a bit of pita, it broke Podlove. I have no idea why but suddenly having podlove activated will blank out this site. I wonder why…Well, I’ve opened an issue…

But moving to ports allows me faster updates I have to think about less. And I don’t have special options activated anyways. I use up a bit more space but that’s it. I am running RELEASE anyways…

BSD, Computer, micro

I set now the laptop up with TrueOS. The only issues that remain are resume and not having glitches graphics that force me to reboot and accidental trackpad-input.
HardenedBSD 12-Current already started to make problems with the Wifi-chip which didn’t get recognized for whatever reason. And when it already starts out that way, I do not necessarily want to go further…