So I have been struggling to apply my networking knowledge to use my FreeBSD in Singapore to enable me to access content.
I originally was using a client based installation of OpenVPN using a tunnel interface, while this worked quite well on desktops the connection quality was poor and it drained the battery on my Android devices.
I purchased a embedded AMD device with twin Ethernet nics and had planned to use it as a gateway – but my home internet connection uses VDSL. So I had to purchase a consumer router just to get online.
My original topology was like this:
VDSL –> Consumer router -> NAT -> FreeBSD Box -> OpenVPN Tunnel -> NAT -> WiFi Network
But that was absolutely dreadful. 3 layers of NAT! It was glitchy and slow. Horrible.
I finally settled on an OpenVPN tap interface and multiple OSPF areas. I would configure Quagga on the Digital Ocean droplet and on my Internal FreeBSD firewall (by name only). This way they could exchange routes and I would be able to directly connect to the DO droplet’s proxy service from my internal lan.
I also configured static routes on my consumer router so that I can access the proxy while on any wireless network.
The total configuration is quite complex but it works fantastically.
I ran into a snag configuring a static ip address for my internal FreeBSD firewall.
Here is how I got it working:
1.) make dirs /usr/local/etc/openvpn/ccd/
2.) touch /usr/local/etc/openvpn/ccd/DEFAULT
3.) Create /usr/local/etc/openvpn/ccd/”youruser”
Add this line (for a tap interface you must push the netmask):
ifconfig-push 172.16.1.2 255.255.255.0
4.) Change ownership:
# chown -R nobody:nobody /usr/local/etc/openvpn/ccd
# chmod -R 700 /usr/local/etc/openvpn
The last command makes the directories “searchable”. If it isn’t set OpenVPN cannot access the dirs even though they are owned by the group it runs as.
Here is the topology:
Internal FreeBSD config:
FreeBSD Droplet Config:
OpenVPN L2 config (I run two servers):