Messages

One minor tweak to the VPN Connection Status page I'd like to suggest: Under Client Instance Statistics, please add an additional field for the remote hostname that was used to obtain the IP.

Use case/background:
Currently the Remote Host field displays the remote host IP address for an active connection. In my case I have a dozen or so remote hostnames configured, each of which might resolve to several IPs. The hostnames give an indication as to their geographical location. Just looking at the Connection Status I cannot tell which of the hostnames were resolved to obtain the IP. Listing the hostname would help correlate certain hostname entries with poor performance so that they can be removed from the config.

Ok I found a temporary work around for me. In the /tmp/rules.debug file there was this:

# nat on openvpn inet from 192.168.6.0/24 to any port 1024:65535 # WIFI to OpenVPN
# nat on openvpn inet from 192.168.7.0/24 to any port 1024:65535 # LAN to OpenVPN

I changed that to this:

nat on openvpn inet from 192.168.6.0/24 to any -> openvpn port 1024:65535 # WIFI to OpenVPN
nat on openvpn inet from 192.168.7.0/24 to any -> openvpn port 1024:65535 # LAN to OpenVPN

And issued this command:

pfctl -f /tmp/rules.debug


And now my openvpn works. So there is an error in the Outbound NAT code that generates that part of the rules file.

Kanstin has hit the nail on the head. I am also using OpenVPN in client mode to redir all my egress traffic to a VPN provider. I troubleshot this for hours and tracked it down to NAT rules. Kanstin's fix worked for me for a few minutes, but anything that triggers the rulebase to reload will rewrite the /tmp/rules.debug file with the bad syntax and comment it back out.

In response I deleted all my OpenVPN NAT rules and re-created them, but that did not have any effect.

It seems this is affecting anyone who went to Firewall: NAT: Outbound and changed it from Automatic to Manual in order to add their own NAT rules.