diff options
| author | Dante Catalfamo | 2020-08-16 22:27:57 -0400 |
|---|---|---|
| committer | Dante Catalfamo | 2020-08-16 22:27:57 -0400 |
| commit | 455bf1cd955c53ca21c44ee2179d5c0b238fdbb0 (patch) | |
| tree | 01f672d64b97f6129df7ef613e6747095026cb44 /content/posts | |
| parent | 4eaa9fdde8e1988a115e8315d65eb79dd5105065 (diff) | |
| download | blog-455bf1cd955c53ca21c44ee2179d5c0b238fdbb0.tar.gz blog-455bf1cd955c53ca21c44ee2179d5c0b238fdbb0.tar.bz2 blog-455bf1cd955c53ca21c44ee2179d5c0b238fdbb0.zip | |
gateway: More details on NAT
Diffstat (limited to 'content/posts')
| -rw-r--r-- | content/posts/openbsd-vpn-gateway/index.org | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/content/posts/openbsd-vpn-gateway/index.org b/content/posts/openbsd-vpn-gateway/index.org index 0fbeea5..dbf00de 100644 --- a/content/posts/openbsd-vpn-gateway/index.org +++ b/content/posts/openbsd-vpn-gateway/index.org @@ -340,7 +340,7 @@ - =to any= Packets with any destination. - - =nat-to ($vpn_if)= Translate the IP addresses on the matched + - =nat-to ($vpn_if)= [[https://man.openbsd.org/OpenBSD-6.7/pf.conf.5#nat-to][Translate the IP addresses]] on the matched packets to the address on =$vpn_if=. In this case =$vpn_if= evaluates to =tun0=. @@ -356,6 +356,12 @@ updated. This way pf is always using the IP address currently assigned to the interface, even if it changes. + You might be wondering why we only apply the NAT on outbound + connections. Since PF is a stateful firewall, we apply the NAT + when we are establishing the outbound connection, and it will + remember the mapping for returning packets automatically, + including in UDP connections. + - =pass out on $vpn_if= Pass packets out on the VPN tunnel interface. |