# Routing traffic via OpenVPN



## tx1131 (Apr 14, 2013)

Hi guys, 

I've been trying to push all my desktop's traffic over VPN which I have on a remote FreeBSD server:

Desktop --- Internet --- FreeBSD with OpenVPN

I can connect to the VPN but my traffic is not redirected. I tried billions of PF combinations (this is probably where the issue is) with no luck. I currently have 
	
	



```
push "redirect-gateway def1"
```
 added to openvpn.conf and not sure of this but added something like this to pf.conf:


```
nat on $ext_if from $vpn_if to any -> EXT_IP
```

After adjusting some PF rules I can ping my LAN interface on the server (which is an alias on its external interface), but can't ping anything outside like 8.8.8.8. Any hints? 

Thanks, 
Konrad


----------



## _martin (Apr 14, 2013)

Hi, 

First - did you try your VPN configuration without PF? If needed for NAT/PAT, apply only those rules and default pass  on any direction. Also verify that forwarding is on (IPv4): 

`# sysctl net.inet.ip.forwarding`

```
net.inet.ip.forwarding: 1
```


----------



## tx1131 (Apr 15, 2013)

Hello, 

I with PF and some basic rules which doesn't change anything. Also I can confirm that 
	
	



```
net.inet.ip.forwarding: 1
```

Interesting thing I forgot to copy yesterday is this PF output: 


```
00:00:00.954995 rule 3..16777216/0(match): pass in on tun0: 10.10.10.6 > 8.8.8.8: ICMP echo request, id 1, seq 9, length 40
00:00:00.000030 rule 5..16777216/0(match): pass out on re0: 10.10.10.6 > 8.8.8.8: ICMP echo request, id 1, seq 9, length 40
```

So basically if I understand correctly something is not being NATed out properly? 

BTW: I was following THIS when setting the VPN up:


Thanks, 
Konrad


----------



## tx1131 (Apr 15, 2013)

Hello, 

Many thanks for your answer. 

I wrote a long reply this morning with outputs pasted etc and unfortunately somehow it didn't get posted :\ 

I can confirm that 
	
	



```
net.inet.ip.forwarding: 1
```
 is in place and I also tried enabling only the basic rules and NAT and that didn't change anything. I am still able to ping internal interfaces but nothing outside. 

I saw one thing however which I forgot to paste yesterday, which is output from tcpdump showing that PF is letting through my pings from VPN_IP to 8.8.8.8 where VPN_IP is ip of my desktop's vpn interface. Doesn't that mean that something is not being NATed properly? 
My only NAT rule related to VPN is:

```
nat on $ext_if from $vpn_if to any -> EXT_IP
```
as mentioned before. So this means anything passed from the tun0 interface will be NATed, right? Perhaps I should change $vpn_if (which is alias for tun0) to vpn_network ? 

Anyway, when I come back home this evening I can paste some outputs to make things more clear - although I hope the above is clear enough. 

BTW: I used THIS while setting up VPN.

Thanks, 
Konrad


----------



## SirDice (Apr 15, 2013)

tx1131 said:
			
		

> I wrote a long reply this morning with outputs pasted etc and unfortunately somehow it didn't get posted :\


Wait for a moderator to release your post.


----------



## tx1131 (Apr 15, 2013)

Yes, seems like I should have  I used to use this forum some time ago and don't recall this feature.


----------



## tx1131 (Apr 15, 2013)

Ok, resolved. 

The main issue was what I wrote earlier:



> My only NAT rule related to VPN is:
> 
> 
> ```
> ...



Changed this to vpn_network, adjusted PF slightly and everything works. Hope someone finds this useful.

Konrad


----------



## kpa (Apr 15, 2013)

Yes of course, this is one of the common mistakes people make with pf(4). If you write 
	
	



```
from $vpn_if
```
 It literally means: Traffic initiated from the VPN interface itself meaning from the sole IP address bound to the interface. What people intend to write is 
	
	



```
from $vpn_if:network
```
 or the vpn_interface macro you used.


----------



## japoc (May 7, 2017)

tx1131 said:


> Changed this to vpn_network, adjusted PF slightly and everything works. Hope someone finds this useful.



VERY useful.



kpa said:


> Yes of course, this is one of the common mistakes people make with pf(4). If you write
> 
> 
> 
> ...



Thanks for this clarification. This was VERY useful.


----------

