Nat on Tun?

  • I have a wrap, the wan is the wireless card and it is a wireless client to an access poing.  If I plug in my laptop to the lan port I get dhcp, an ip address and I can surf.  Now the wrap is also an openvpn client to a openvpn server that hands out a default route so all traffic can go through it.  When I start the openvpn client it connects.  If I ssh into the wrap and go to shell I can ping and traceroute the outside world (from the wrap) and it goes throught the vpn as it should.  My laptop however attached to lan 1 can not get to the outside world.  I expected that the routing tables would handle it automaticly.

    Maybe it is late but I'm stuck.  Any ideas what I should try next?


  • Sounds like a routing problem or maybe the system facing the real WAN does not do nat for the remote subnet that your client is in. Can you show us a traceroute from the client to a public IP and show us a networkdiagram with IPs of the networks and devices? That would be helpful.

  • I'm not sure if this helps you but it might be worth reading:



  • Ok, I have more info.  It is still not working. First I'll start with the big picture, literally:

  • Ok, I got it to work but not in a way that is useful outside of the lab.  Here are the remaining hurdles:

    I need to use tls auth and there is no way I can see yet to make the upload of the ta.key survive a reboot.  Maybe a full install on a microdrive…

    When I added the line to nat on the tun0 device to the lan subnet it worked, packets were passed from the lan to the tunnel but I don't know how to add the line into the pf.conf file permanently.  It seems to go away when the tunnel goes down and comes back up too and it of course goes away on reboot.

    Thank you for your assistance.

Log in to reply