diff options
| author | Dante Catalfamo | 2020-08-16 22:00:23 -0400 |
|---|---|---|
| committer | Dante Catalfamo | 2020-08-16 22:00:23 -0400 |
| commit | 0df61717570f217b83321d67ab94114732a435d4 (patch) | |
| tree | 42674c61c933d270c3922121c0221694d53882bb | |
| parent | 8d2ca4d40295e2d8f2e930437e91c4864c440893 (diff) | |
| download | blog-0df61717570f217b83321d67ab94114732a435d4.tar.gz blog-0df61717570f217b83321d67ab94114732a435d4.tar.bz2 blog-0df61717570f217b83321d67ab94114732a435d4.zip | |
gateway: describe nat-to rule
| -rw-r--r-- | content/posts/openbsd-vpn-gateway/index.org | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/content/posts/openbsd-vpn-gateway/index.org b/content/posts/openbsd-vpn-gateway/index.org index c961f82..0fff8d7 100644 --- a/content/posts/openbsd-vpn-gateway/index.org +++ b/content/posts/openbsd-vpn-gateway/index.org @@ -339,3 +339,20 @@ =192.168.0.0/24=. - =to any= Packets with any destination. + + - =nat-to ($vpn_if)= Translate the IP addresses on the matched + packets to the address on =$vpn_if=. In this case =$vpn_if= + evaluates to =tun0=. + + Notice that =($vpn_if)= is in parentheses. This tells pf to + re-evaluate the rule when the status of =$vpn_if= + changes. Without this, if the VPN has to restart, and the + interface gets created and destroyed by OpenVPN, or of OpenVPN + starts after pf, the entire firewall configuration would have to + be manually reloaded. + + With the parentheses, this rule will get updated as =tun0= get + updated. This includes going created or destroyed, or even + changing IP addresses. This way it's possible to have OpenVPN + reconnect itself should the connection drop without any user + intervention. |