gateway: More details on NAT

1 files changed, 7 insertions, 1 deletions

diff --git a/content/posts/openbsd-vpn-gateway/index.org b/content/posts/openbsd-vpn-gateway/index.org
index 0fbeea5..dbf00de 100644
--- a/content/posts/openbsd-vpn-gateway/index.org
+++ b/content/posts/openbsd-vpn-gateway/index.org
@@ -340,7 +340,7 @@
 
       - =to any= Packets with any destination.
 
-    - =nat-to ($vpn_if)= Translate the IP addresses on the matched
+    - =nat-to ($vpn_if)= [[https://man.openbsd.org/OpenBSD-6.7/pf.conf.5#nat-to][Translate the IP addresses]] on the matched
       packets to the address on =$vpn_if=. In this case =$vpn_if=
       evaluates to =tun0=.
 
@@ -356,6 +356,12 @@
       updated. This way pf is always using the IP address currently
       assigned to the interface, even if it changes.
 
+      You might be wondering why we only apply the NAT on outbound
+      connections. Since PF is a stateful firewall, we apply the NAT
+      when we are establishing the outbound connection, and it will
+      remember the mapping for returning packets automatically,
+      including in UDP connections.
+
   - =pass out on $vpn_if= Pass packets out on the VPN tunnel
     interface.