diff options
Diffstat (limited to 'content')
| -rw-r--r-- | content/posts/openbsd-vpn-gateway/index.org | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/content/posts/openbsd-vpn-gateway/index.org b/content/posts/openbsd-vpn-gateway/index.org index 0fbeea5..dbf00de 100644 --- a/content/posts/openbsd-vpn-gateway/index.org +++ b/content/posts/openbsd-vpn-gateway/index.org @@ -340,7 +340,7 @@ - =to any= Packets with any destination. - - =nat-to ($vpn_if)= Translate the IP addresses on the matched + - =nat-to ($vpn_if)= [[https://man.openbsd.org/OpenBSD-6.7/pf.conf.5#nat-to][Translate the IP addresses]] on the matched packets to the address on =$vpn_if=. In this case =$vpn_if= evaluates to =tun0=. @@ -356,6 +356,12 @@ updated. This way pf is always using the IP address currently assigned to the interface, even if it changes. + You might be wondering why we only apply the NAT on outbound + connections. Since PF is a stateful firewall, we apply the NAT + when we are establishing the outbound connection, and it will + remember the mapping for returning packets automatically, + including in UDP connections. + - =pass out on $vpn_if= Pass packets out on the VPN tunnel interface. |