diff options
Diffstat (limited to 'openvpn.8')
| -rw-r--r-- | openvpn.8 | 36 |
1 files changed, 35 insertions, 1 deletions
@@ -1067,6 +1067,31 @@ and .B --route-gateway. .\"********************************************************* .TP +.B --client-nat snat|dnat network netmask alias +This pushable client option sets up a stateless one-to-one NAT +rule on packet addresses (not ports), and is useful in cases +where routes or ifconfig settings pushed to the client would +create an IP numbering conflict. + +.B network/netmask +(for example 192.168.0.0/255.255.0.0) +defines the local view of a resource from the client perspective, while +.B alias/netmask +(for example 10.64.0.0/255.255.0.0) +defines the remote view from the server perspective. + +Use +.B snat +(source NAT) for resources owned by the client and +.B dnat +(destination NAT) for remote resources. + +Set +.B --verb 6 +for debugging info showing the transformation of src/dest +addresses in packets. +.\"********************************************************* +.TP .B --redirect-gateway flags... (Experimental) Automatically execute routing commands to cause all outgoing IP traffic to be redirected over the VPN. @@ -2706,7 +2731,7 @@ This option is deprecated, and should be replaced with which is functionally equivalent. .\"********************************************************* .TP -.B --ifconfig-push local remote-netmask +.B --ifconfig-push local remote-netmask [alias] Push virtual IP endpoints for client tunnel, overriding the --ifconfig-pool dynamic allocation. @@ -2725,6 +2750,15 @@ are from the perspective of the client, not the server. They may be DNS names rather than IP addresses, in which case they will be resolved on the server at the time of client connection. +The optional +.B alias +parameter may be used in cases where NAT causes the client view +of its local endpoint to differ from the server view. In this case +.B local/remote-netmask +will refer to the server view while +.B alias/remote-netmask +will refer to the client view. + This option must be associated with a specific client instance, which means that it must be specified either in a client instance config file using |