# IPFW, OpenVPN, NAT issue



## babovand (Apr 27, 2013)

Hello forum

I am trying to redirect all my clients internet traffic through the OpenVPN server, as for as I currently understand I need NAT enabled on the server in order to do this.

My current network setup is as following, OpenVPN is hosted on the 192.168.2.10 server.

```
Internet - Router (192.168.2.1, NAT enabled here) - Server (192.168.2.10) - OpenVPN (10.1.2.1)
```

I've tried the following IPFW rules

```
ipfw show
00100  8790 1296340 allow ip from any to any via lo0
00200     0       0 deny ip from any to 127.0.0.0/8
00300     0       0 deny ip from 127.0.0.0/8 to any
00400    10     496 nat 1 ip from 10.1.2.0/24 to any out via tun0
00500   228   15252 nat 1 ip from any to any in via tun0
65535 10459 1504821 allow ip from any to any
```

I can connect to the OpenVPN server without any problems, and also access the network/web-services on the 192.168.2.x net, But as you can have guessed, No internet access through the OpenVPN server. I have enabled gateway_enable=yes and also net.inet.ip.forwarding=1

What am I missing here? Also I would appreciate any commands and/or scripts you can provide, since I am a total beginner when it comes to IPFW commands.

Thanks.


----------



## babovand (Apr 27, 2013)

Solved the problem, now I have another one. I added these lines instead and changed the interface from tun0 to em0

```
ipfw nat 1 config if em0
ipfw add nat 1 all from 10.1.2.0/24 to any out via em0
ipfw add nat 1 all from any to any in via em0
```
And it redirects all traffic when connected!

But, now I want the traffic to go through stunnel; without stunnel OpenVPN connects fine from internet.

Setup: Stunnel server and OpenVPN server are on the same server.

```
OpenVPN client connects to stunnel client on the same machine (client PC) on port 6521
stunnel client connects to stunnel server to external IP on port 7589
stunnel server connects to OpenVPN server (localhost 6521)
```

Stunnel client conf:

```
[openvpn]
client = yes
accept = 127.0.0.1:6521
connect = 81.1x.x.x:7589
```

Stunnel server conf:

```
[openvpn]
accept=7589
connect=127.0.0.1:6521
```

If I turn NAT off, on the server I can manage to connect to OpenVPN via stunnel, when NAT is on, no connection to the OpenVPN server is made.

So, quick summary: Connection directly to OpenVPN server redirects all traffic fine, connection to OpenVPN server via stunnel, no connection at all.

EDIT: after some reading, I think I need to allow IPFW to make a localhost connection from the stunnel server to the OpenVPN server.

Or that I have to open a port for stunnel in IPFW.

EDIT 2: I added 

```
ipfw add allow all from any to me via lo0
```
 No difference.

EDIT 3: I think I need to allow the stunnel port through the firewall, does anyone know how to do this?


----------

