From 455bf1cd955c53ca21c44ee2179d5c0b238fdbb0 Mon Sep 17 00:00:00 2001
From: Dante Catalfamo
Date: Sun, 16 Aug 2020 22:27:57 -0400
Subject: gateway: More details on NAT

---
 content/posts/openbsd-vpn-gateway/index.org | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'content')

diff --git a/content/posts/openbsd-vpn-gateway/index.org b/content/posts/openbsd-vpn-gateway/index.org
index 0fbeea5..dbf00de 100644
--- a/content/posts/openbsd-vpn-gateway/index.org
+++ b/content/posts/openbsd-vpn-gateway/index.org
@@ -340,7 +340,7 @@
 
       - =to any= Packets with any destination.
 
-    - =nat-to ($vpn_if)= Translate the IP addresses on the matched
+    - =nat-to ($vpn_if)= [[https://man.openbsd.org/OpenBSD-6.7/pf.conf.5#nat-to][Translate the IP addresses]] on the matched
       packets to the address on =$vpn_if=. In this case =$vpn_if=
       evaluates to =tun0=.
 
@@ -356,6 +356,12 @@
       updated. This way pf is always using the IP address currently
       assigned to the interface, even if it changes.
 
+      You might be wondering why we only apply the NAT on outbound
+      connections. Since PF is a stateful firewall, we apply the NAT
+      when we are establishing the outbound connection, and it will
+      remember the mapping for returning packets automatically,
+      including in UDP connections.
+
   - =pass out on $vpn_if= Pass packets out on the VPN tunnel
     interface.
 
-- 
cgit v1.2.3