# OpenVPN routing



## nebu (Jan 8, 2014)

Hi,

I have a VPS running FreeBSD which I want to use as a VPN gateway to the _I_nternet when on the road using public WiFi. I have set up OpenVPN and PF to my best knowledge, but routing just won't work. I can connect clients to the server, ping also works, but I do not get a route to the Internet. Could someone shed some light on my mistakes? The server has a public WAN IP assigned by DHCP.(here "1.2.3.4") The client to test in in a 192.168.0.0/24 subnet. The client receives 10.8.0.6 as IP and 10.8.0.5 as gateway which obviously does not work. I am using the following config_uration_:


```
#/usr/local/etc/openvpn/server.conf
port 1194
daemon
mode server
proto udp
dev tun0
tls-server
ca      /usr/local/etc/ssl-admin/active/ca.crt
cert    /usr/local/etc/ssl-admin/active/potemkin.crt
key     /usr/local/etc/ssl-admin/active/potemkin.key
dh      /usr/local/etc/ssl-admin/active/dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
push "route 192.168.0.0 255.255.255.0"
keepalive 10 60
ping-timer-rem
persist-tun
# Log
mute 3
verb 3
log /var/log/openvpn
status /var/log/openvpn-status
```


```
#/etc/rc.conf
ifconfig_re0="DHCP"
sshd_enable="YES"
gateway_enable="YES"
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/server.conf"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
```


```
#/etc/pf.conf
if="re0"
vpn_if="tun0"
vpn_net = "10.8.0.0/24"

icmp_types = "echoreq"
open_tcp = "{ 1194,22}"
open_udp = "{ 1194, 22 }"
# wan ip
ip = 1.2.3.4

set block-policy drop
set skip on lo0
set limit { states 10000, frags 5000 }
set loginterface re0
set optimization normal
set require-order yes
set fingerprints "/etc/pf.os"
set ruleset-optimization basic

scrub in all fragment reassemble random-id

nat on $if from $vpn_net to any -> $ip

block log all
block return

antispoof quick for $if
pass in quick proto udp from any to port 1194 keep state label "openvpn"

# Pass stuff on the VPN interface
pass quick on $vpn_if keep state

pass in on $if proto tcp from any to any port 22 keep state

pass in on $if proto tcp from any to any port $open_tcp keep state
pass in on $if proto udp from any to any port $open_udp keep state

pass out quick all keep state

pass in on $if inet proto icmp all icmp-type $icmp_types keep state
pass in on $if inet proto udp from any to any port 33433 >< 33626 keep state
```

As stated before, connecting works. The server answers pings on the VPN IP.

_I_ found a couple of tutorials on the web but none of them seem to fit my requ*i*rements. Any help would be really appreciated.

Ben


----------



## junovitch@ (Jan 9, 2014)

You are only providing a route to the local subnet. This would work in your /usr/local/etc/openvpn/server.conf. It would redirect all traffic to your VPS including DNS.  This is also assuming the VPN is running a resolver for DNS.

```
push "dhcp-option DNS 10.8.0.1"
push "redirect-gateway def1"
```

Alternatively, you can set up a proxy on the VPS and point your browser to that.  That is actually what I do since I don't want every packet to go through a VPN all the way to my house.  If I update software while on the road there's no reason to have that go through a VPN.  Just web browsing is enough for me.


----------

