Community Support Forum
 
  OpenVPN.net  •  Forum Index  •  FAQ  

It is currently Thu Apr 24, 2014 2:31 am




Post new topic Reply to topic  [ 7 posts ] 
 Configuring VPN Server on OS X 10.8.2 as Router with NAT ! 
Author Message
 Post subject: Configuring VPN Server on OS X 10.8.2 as Router with NAT !
PostPosted: Tue Oct 02, 2012 10:24 pm 
OpenVpn Newbie

Joined: Mon Oct 01, 2012 6:12 pm
Posts: 7
Until today i could not google the information how to configure a VPN Server on OS X 10.8.2 as a router with NAT. The network traffic has to be routed from network interface "tun01" to "en0" (in most cases the interface of the network cable). In all located informations there is one required command missing. Without this command the VPN Server does not act as router with NAT for forwarding an request to the Gateway of the Servers LAN.

The commands for configuring a VPN Server on OS X 10.8.2 to work as a router with NAT are:

Code:
sysctl -w net.inet.ip.fw.enable=1
sysctl -w net.inet.ip.forwarding=1
natd -interface en0
ipfw add divert natd ip from any to any via en0


The command "sysctl -w net.inet.ip.fw.enable=1" is missing in all public hints that can be found over google.
I could solve the problem, cause there was one dependency to this system variable mentioned in the manual pages of the command "ipfw" (man ipfw). It was very difficult to find this additional dependency, and it would be great if this information can be published on many places.

Thanks.


Offline
 Profile  
 
 Post subject: Configuration of OS X 10.8.2 with OpenVPN, routing and NAT
PostPosted: Mon Oct 22, 2012 11:35 am 
OpenVpn Newbie

Joined: Mon Oct 01, 2012 6:12 pm
Posts: 7
If the commands for configuring OS X 10.8.2 as router with NAT are executed at startup with a DaemonLaunch Process , there has to be a "sleep 15" in the script, cause the network interface needs time to be up, otherwise the network interface wont work at all.

Complete solution for routing and NAT after restart of OS X 10.8.2 server:

1) Create directory and script for executing the command:

Code:
su
mkdir /Library/Application\ Support/vpn
vi /Library/Application\ Support/vpn/enable-vpn-forward-nat.sh


Content for "enable-vpn-forward-nat.sh":
Code:
#!/bin/bash
#
# Sleep is necessary cause network has to be up at the time of following commands
# Otherwise the network will not work at all
#
sleep 15
#
sysctl -w net.inet.ip.fw.enable=1
sysctl -w net.inet.ip.forwarding=1
natd -interface en0
ipfw add divert natd ip from any to any via en0


Set file "enable-vpn-forward-nat.sh" executable:
Code:
chmod 755 /Library/Application\ Support/vpn/enable-vpn-forward-nat.sh


Create LaunchDaemon "enable-vpn-forward-nat.plist":
Code:
su
vi /Library/LaunchDaemons/enable-vpn-forward-nat.plist


Content for "enable-vpn-forward-nat.plist":
Code:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC -//Apple Computer//DTD PLIST 1.0//EN http://www.apple.com/DTDs/PropertyList-1.0.dtd >
<plist version="1.0">
<dict>
        <key>Label</key>
                <string>enable-vpn-forward-nat</string>
        <key>ProgramArguments</key>
                <array>
                        <string>/Library/Application Support/vpn/enable-vpn-forward-nat.sh</string>
                </array>
        <key>RunAtLoad</key>
                <true/>
</dict>
</plist>


Imporant: A path with spaces (as ".../Application Support/...") does not get the "\" as escape character in the .plist file.

Test load of Daemon (check errors in console):
Code:
launchctl load enable-vpn-forward-nat.plist


Now routing and NAT are also available after a restart (= permanently)


Offline
 Profile  
 
 Post subject: Re: Configuring VPN Server on OS X 10.8.2 as Router with NAT
PostPosted: Wed Oct 24, 2012 2:50 pm 
OpenVPN User

Joined: Fri Oct 05, 2012 11:32 pm
Posts: 23
Thank you very much! This was necessary to get a working OpenVPN server on OS X Server up and running. See here for a terse description.


Offline
 Profile  
 
 Post subject: Re: Configuring VPN Server on OS X 10.8.2 as Router with NAT
PostPosted: Thu Nov 08, 2012 4:23 pm 
OpenVPN User

Joined: Fri Oct 05, 2012 11:32 pm
Posts: 23
I'd like to get this working with a firewall, but am running into DNS problems. Any suggestions for the correct ipfw ruleset would be appreciated.

This ruleset works great:

Code:
add 500 divert natd ip from any to any via en0
add 65535 allow ip from any to any


This ruleset breaks DNS -- I can hit a webserver on the LAN by its IP via an OpenVPN client, but not domain name:

Code:
# Loopback
add 10 allow all from any to any via lo0
add 11 deny all from any to 127.0.0.0/8
add 12 deny all from 127.0.0.0/8 to any

# Devices
add 300 allow all from any to any via en0
# VPN tun
add 301 allow all from any to any via tun0

# statefull
add 400 check-state
add 401 allow tcp from any to any established
add 402 allow tcp from any to any out
add 403 allow udp from me to any

# OpenVPN
# NAT
add 500 divert natd ip from any to any via en0
# OpenVPN ports
add 501 allow udp from any to any 443,1194

# ssh
add 12302 allow tcp from any to any 22
# all the other services ...

# Block rule
add 65534 deny ip from any to any


The line that breaks things is the last one -- the whole purpose of the firewall. I would have thought that I added all necessary rules above that so that DNS for OpenVPN clients would work, but apparently not. What rule am I missing?


Offline
 Profile  
 
 Post subject: Re: Configuring VPN Server on OS X 10.8.2 as Router with NAT
PostPosted: Sun May 05, 2013 9:54 pm 
OpenVpn Newbie

Joined: Sun May 05, 2013 8:21 pm
Posts: 2
Hi, I've attempted to use the suggested commands, but it appears to break things even more - the server is no longer accessible by the clients, and all internet access goes down (remote in or ping from the server to an external website doesn't work).

Any thoughts?

Thread basically repeating what I'm asking: topic12822.html


Offline
 Profile  
 
 Post subject: Re: Configuring VPN Server on OS X 10.8.2 as Router with NAT
PostPosted: Sun Oct 27, 2013 12:31 am 
OpenVPN User

Joined: Fri Oct 05, 2012 11:32 pm
Posts: 23
This worked great on Mountain Lion, but no longer works on Mavericks. Now OpenVPN no longer works, and if I run this ipfw script, it breaks my server's internet and LAN access as well! It looks like ipfw and natd are obsolete on OS X, and it's finally time to learn how to implement divert using pfctl.

Has anyone used pfctl with OpenVPN? What are the command to obtain a divert, as done above with natd/ipfw?

The natd command throws the error on Mavericks:
Quote:
natd: Unable to bind divert socket.: Address already in use


Offline
 Profile  
 
 Post subject: Re: Configuring VPN Server on OS X 10.8.2 as Router with NAT
PostPosted: Fri Nov 08, 2013 3:11 pm 
OpenVPN User

Joined: Fri Oct 05, 2012 11:32 pm
Posts: 23
I read The Boof of PF and figured it out. The essential pfctl NAT and filter rules are
Code:
nat on en0 from 10.0.0.0/8 to any -> (en0)
pass from { lo0, 10.0.0.0/8 } to any keep state


and you have to do a lot of trial-and-error to make sure you don't break your access while integrating these rules into OS X Server's basic rule set. A description of the complete setup with the following pf.conf is here.

sudo vi /etc/pf.conf
Code:
# References for modifications:
# The Book of PF by Peter N.M. Hansteen
# http://hints.macworld.com/article.php?story=20121011004626997
# http://blog.scottlowe.org/2013/05/15/using-pf-on-os-x-mountain-lion/
# http://krypted.com/mac-security/a-cheat-sheet-for-using-pf-in-os-x-lion-and-up/

# Options

set block-policy drop
set fingerprints "/etc/pf.os"
set ruleset-optimization basic

set skip on lo0

# Normalization

# Scrub incoming packets
scrub in all no-df

#
# com.apple anchor point
#
scrub-anchor "com.apple/*"

# Queueing

# Translation

# OpenVPN Server NAT
#
# The Book of PF, p. 21
int_if = "en0" # macro for internal interface
localnet = "10.0.0.0/8"
nat on $int_if from $localnet to any -> ($int_if)

nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"

# Filtering

lan_server = 10.0.1.3

# Antispoof
antispoof log quick for { lo0 en0 }

# Block by default
block in log

# Allow outgoing traffic from NAT'd { lo0, $localnet }
# The Book of PF, p. 21
pass from { lo0, $localnet } to any keep state

# Block to/from illegal destinations or sources
block in log quick from no-route to any

# Allow critical system traffic
pass in quick inet proto udp from any port 67 to any port 68

# Allow ICMP from home LAN
pass in log proto icmp from $lan_server:network

# Allow outgoing traffic
pass out inet proto tcp from any to any keep state
pass out inet proto udp from any to any keep state

# Internet services
internet_udp_services = "{ https, 500, 1194, 1701, 4500, 5060, 5190, 5297, 5298, 5678, 16384 }"
internet_tcp_services = "{ ssh, smtp, https, 143, 587, 993, 995, 1640, 2170, 2195, 2196, 4190,\
5218, 5223, 5190, 5220, 5222, 5298, 8008, 8443, 8800, 8843 }"
pass in quick inet proto tcp from any to { lo0, $lan_server } port $internet_tcp_services
pass in quick inet proto udp from any to { lo0, $lan_server } port $internet_udp_services

# LAN services: block access, except from localnet
lan_udp_services = "{ 5001 }"
lan_tcp_services = "{ domain, auth, nntp, www, 311, 3128, 5001, 5900:5909, 8118, 8123 }"
pass in quick inet proto tcp from { lo0, $localnet } to { lo0, $lan_server } port $lan_tcp_services
pass in quick inet proto udp from { lo0, $localnet } to { lo0, $lan_server } port $lan_udp_services


Offline
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 


 Who is online 

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  


phpBB SEO
[ Time : 0.198s | 14 Queries | GZIP : On ]

 
Index  |  FAQ


Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group