# OpenVPN PF Nat Can't connect to server.



## bryn1u (Nov 3, 2017)

Hello guys,

I have been trying to configure my OpenVPN for 2 days. I can't solve it. I really don't know what I'm doing wrong.


```
local 91.121.78.120
port 1194
proto udp
dev tun
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# Allow clients to "see" each other.
client-to-client
keepalive 10 120
comp-lzo
max-clients 16
user nobody
group nobody
persist-key
persist-tun

cipher AES-256-CBC
ca /usr/local/etc/openvpn/easy-rsa/keys/ca.crt
cert /usr/local/etc/openvpn/easy-rsa/keys/server.crt
key /usr/local/etc/openvpn/easy-rsa/keys/server.key
dh /usr/local/etc/openvpn/easy-rsa/keys/dh2048.pem
tls-auth /usr/local/etc/openvpn/easy-rsa/ta.key 0

status /usr/local/etc/openvpn/openvpn-status.log
verb 4
mute 20
mute-replay-warnings

# Uncomment the following if you're running a local DNS cache (such as unbound),
# and want to instruct your clients to use it. In that case, don't forget to
# update Unbound configuration too, to accept requests on the 10.8.0.0/24
# network.
#push "dhcp-option DNS 10.8.0.1"
push "redirect-gateway"
push "redirect-gateway def1 bypass-dhcp"
```

When I want to connect to OpenVPN server I'm getting some issue like:

```
[bryn1u@bryn1u openvpn]$ openvpn --config client.ovpn
Fri Nov  3 18:15:58 2017 OpenVPN 2.4.4 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 26 2017
Fri Nov  3 18:15:58 2017 library versions: OpenSSL 1.1.0f-fips  25 May 2017, LZO 2.08
Fri Nov  3 18:15:58 2017 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Fri Nov  3 18:15:58 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]91.121.78.120:1194
Fri Nov  3 18:15:58 2017 UDP link local (bound): [AF_INET][undef]:1194
Fri Nov  3 18:15:58 2017 UDP link remote: [AF_INET]91.121.78.120:1194
```

pf.conf

```
# The ext_if name is probably different on your system...
ext_if = "em0"
vpn_if = "tun0"
vpn_net = "10.8.0.0/24"

nat on ! $vpn_if from $vpn_net to any -> ($ext_if)
```

rc.conf

```
ifconfig_em0="inet 91.121.78.120 netmask 255.255.255.0 broadcast 91.121.78.255"
defaultrouter="91.121.78.254"
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
```
ifconfig

```
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
    ether 00:25:90:55:fb:de
    hwaddr 00:25:90:55:fb:de
    inet 91.121.78.120 netmask 0xffffff00 broadcast 91.121.78.255
    inet6 fe80::225:90ff:fe55:fbde%em0 prefixlen 64 scopeid 0x1
    inet6 2001:41d0:1:8378:: prefixlen 64
    nd6 options=8063<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL,NO_RADR,DEFAULTIF>
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
    inet 127.0.0.1 netmask 0xff000000
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    groups: lo
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
    options=80000<LINKSTATE>
    inet 10.8.0.1 --> 10.8.0.2  netmask 0xffffffff
    nd6 options=b<PERFORMNUD,ACCEPT_RTADV,IFDISABLED>
    groups: tun
    Opened by PID 64735
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
    groups: pflog
```

client vpn

```
[bryn1u@bryn1u openvpn]$ cat client.ovpn
dev tun
remote 91.121.78.120 1194
client
tls-client
verify-x509-name server name
ns-cert-type server
#tls-auth ta.key 1
ca ca.crt
cert bryn1u.crt
key bryn1u.key
cipher AES-256-CBC
comp-lzo
ping-timer-rem
resolv-retry infinite
persist-tun
persist-key
verb 1
ping 15
ping-restart 30
```
Can someone explain to me what's wrong? I would be really grateful.


----------



## ab2k (Nov 6, 2017)

Hi, on how I see you have 2 problems:

1. your machine must act as router if you want security/openvpn to be working, so in /etc/rc.conf you should add


```
gateway_enable="YES"
```

2. you have very strange PF ruleset file. just placing a small part from my /etc/pf.conf file from office router thats uses security/openvpn to get our people to logon remotely:


```
LOIF = "lo0"
EXTIF = "em0"
VPNIF = "tun0"

# we skipping all checks on local and VPN interfaces here and allowing all traffic inbound and outbound,
# sometimes it works as expected, but on some machines needs an explicit rule
#
set skip on { $LOIF, $VPNIF }

set block-policy return
set loginterface $EXTIF

scrub in on $EXTIF all fragment reassemble
scrub in on $EXTIF all no-df
scrub out on $EXTIF all random-id

block all
antispoof log quick for { $EXTIF } inet

pass inet proto icmp all icmp-type echoreq keep state
pass inet proto icmp all icmp-type unreach code needfrag keep state

pass out quick on $EXTIF proto tcp from any flags S/SA modulate state
pass out quick on $EXTIF proto { udp, icmp } from any to any keep state

# opening a port for OpenVPN with UDP.
# P.S. I would suggest you to change that port to something else (here and in openvpn config file)
#
pass in quick on $EXTIF proto udp from any to port 1194 keep state

# sometimes "set skip" operator not working as expected on some machines,
# so we just explicitly allow OpenVPN traffic by these rules, uncomment it if it does not work.
#
#pass quick on $VPNIF proto tcp from any to any flags S/SA modulate state
#pass quick on $VPNIF proto { udp, icmp } from any to any keep state

# P.S. please note, this ruleset will block all ports that not opened explicitly in ruleset. If you
# have any services that you using (for example sshd_server) you need to manually open it.
#
#pass in quick on $EXTIF proto tcp from any to port ssh modulate state
```

Hope it will help you.


----------



## SirDice (Nov 8, 2017)

bryn1u said:


> When I want to connect to OpenVPN server I'm getting some issue like:


I fail to see the issues. There's only one warning about a setting that has been renamed. But that's a warning, not an error. The output shows its actually trying to connect.


----------

