# Forwarding packets generated through a VPN connection to a different subnet



## manas (Dec 8, 2014)

Hello,

I have an OpenVPN server that is configured to hand out IP addresses on the 10.8.0.0/24 network, it creates a tun0 device. I also have an interface on the machine that is configured with the IP 10.8.1.11, this is on the em1 interface. I am able to ping to other machines on the 10.8.1.0/24 network from the machine. However, as an OpenVPN client, when I try to ping any address on the 10.8.1.0/24 network other than 10.8.1.11, I do not receive a response. My attempt at making this work was through using NAT with PF. This is the line in my /etc/pf.conf


```
nat on tun0 from 10.8.0.0/24 to 10.8.1.0/24 -> (em1)
```

When I run `tcpdump -i tun0` on the machine I see the ICMP packets being generated by the OpenVPN client. However when I do `tcpdump -i em1` I do not see any traffic.
Please let me know how this can be configured.

Thanks,
Manas


----------



## manas (Dec 8, 2014)

Sorry `sysctl net.inet.ip.forwarding` was 0.
I have now changed it to 1. I can see packets on the em1 interface but the packet still originates from 10.8.0.0/24 instead of 10.8.1.0/24.


----------



## manas (Dec 9, 2014)

This is what I have come up with which still does not work: 
	
	



```
rdr on tun0 from 10.8.0.0/24 to 10.8.1.0/24 -> (em1)
nat on em1 from 10.8.0.0/24 to 10.8.1.0/24 -> (em1)
rdr on em1 from 10.8.1.0/24 to 10.8.0.0/24 -> (tun0)
```


----------



## Oko (Dec 9, 2014)

Have you actually bothered to read and understand the server configuration file /usr/local/etc/openvpn/server.conf? ; are used to comment out lines. 
	
	



```
# Push routes to the client to allow it
# to reach other private subnets behind
# the server.  Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
```
 or something like this 
	
	



```
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
;client-to-client
```
 If your OpenVPN server listens on UDP 1194 pass in that port but don't filter traffic on tun0 assuming that is your server interface. Once you get things working append your pf.conf to filter on tun0. Very complex firewall nat options are available.

The above is meant to be only invitation for you to read at least configuration file which comes with the sever. OpenVPN is one of few rare examples that Linux community can put exceptional documentation.


----------



## kpa (Dec 9, 2014)

manas said:


> This is what I have come up with which still does not work:
> 
> 
> ```
> ...



Cut it down to just this and it should work. I changed the destination to any because the NAT is applied to traffic leaving via the interface. Anything that doesn't leave the interface is not affected. Make sure your filter rules are allowing the traffic as well.


----------



## manas (Dec 9, 2014)

Oko said:


> Have you actually bothered to read and understand server configuration file /usr/local/etc/openvpn/server.conf? ; are used to comment out lines.
> 
> 
> ```
> ...



Yes, I have added this to the OpenVPN configuration file. This is the line I have:

```
push "route 10.8.1.0 255.255.255.0"
```
Without this line, I doubt the tun0 interface would even be receiving the traffic directed towards 10.8.1.0/24 as I have not redirected the gateway for the clients. There are no filtering rules in my pf.conf, it is entirely redirects and NATs. Thanks for your response.



kpa said:


> Cut it down to just this and it should work. I changed the destination to any because the NAT is applied to traffic leaving via the interface. Anything that doesn't leave the interface is not affected. Make sure your filter rules are allowing the traffic as well.



Thank you, I will try your suggestion and update this post. I am not doing any filtering in my pf.conf, it is very basic.

Edit:
It works now, thanks so much kpa!


----------

