vpn-gateway: de-indent sections on sysctl and pf, also add content

author: Dante Catalfamo 2020-08-16 16:50:08 -0400
committer: Dante Catalfamo 2020-08-16 16:50:08 -0400
commit: e2ad5362ca47ee15b6a99a939796e9f0b9373d77 (patch)
tree: 6e994e093c6630bf8e5f7de44b38e22755945d67 /content/posts/openbsd-vpn-gateway
parent: ec2c196f119808dac07927d1fb74cd9c8d6c1fee (diff)
download: blog-e2ad5362ca47ee15b6a99a939796e9f0b9373d77.tar.gz
blog-e2ad5362ca47ee15b6a99a939796e9f0b9373d77.tar.bz2
blog-e2ad5362ca47ee15b6a99a939796e9f0b9373d77.zip
1 files changed, 71 insertions, 52 deletions
diff --git a/content/posts/openbsd-vpn-gateway/index.org b/content/posts/openbsd-vpn-gateway/index.org
index 1b07a26..c581f4c 100644
--- a/content/posts/openbsd-vpn-gateway/index.org
+++ b/content/posts/openbsd-vpn-gateway/index.org
@@ -1,5 +1,5 @@
 #+TITLE: Creating a VPN Gateway with OpenBSD 6.7
-#+DATE: 2020-07-11T13:48:25-04:00
+#+DATE: 2020-08-16T16:35:47-04:00
 #+DRAFT: true
 #+DESCRIPTION:
 #+TAGS[]: openbsd openvpn
@@ -200,72 +200,91 @@
    This should output your current external IP address, which should
    belong to your VPN provider.
 
-** sysctl
-   OpenVPN should have already reconfigured the our routing table to
-   send all of our traffic over the VPN connection, but how do we pass
-   incoming traffic through it?
+* sysctl
+  OpenVPN should have already reconfigured the our routing table to
+  send all of our traffic over the VPN connection, but how do we pass
+  incoming traffic through it?
 
-   The first step is to allow the kernel to forward IP packets
-   destined for other hosts. To set this option in the kernel we use
-   the [[https://man.openbsd.org/man8/sysctl.8][=sysctl(8)=]] command.
+  The first step is to allow the kernel to forward IP packets
+  destined for other hosts. To set this option in the kernel we use
+  the [[https://man.openbsd.org/man8/sysctl.8][=sysctl(8)=]] command.
 
-   #+BEGIN_SRC shell
-   doas sysctl net.inet.ip.forwarding=1
-   #+END_SRC
+  #+BEGIN_SRC shell
+  doas sysctl net.inet.ip.forwarding=1
+  #+END_SRC
 
-   We're also going to want to make this option persistent, so it
-   remains even after rebooting. To do this we add the option to our
-   [[https://man.openbsd.org/man5/sysctl.conf.5][=sysctl.conf(5)=]], which re-applies =sysctl= options on boot.
+  We're also going to want to make this option persistent, so it
+  remains even after rebooting. To do this we add the option to our
+  [[https://man.openbsd.org/man5/sysctl.conf.5][=sysctl.conf(5)=]], which re-applies =sysctl= options on boot.
 
-   #+BEGIN_SRC shell
-   doas sh -c 'echo "net.inet.ip.forwarding=1" >> /etc/sysctl.conf'
-   #+END_SRC
+  #+BEGIN_SRC shell
+  doas sh -c 'echo "net.inet.ip.forwarding=1" >> /etc/sysctl.conf'
+  #+END_SRC
 
-   This can of course also be done with a text editor like =vi= or
-   =mg=.
+  This can of course also be done with a text editor like =vi= or
+  =mg=.
 
-   Setting =net.inet.ip.forwarding= to =1= tells the kernel to
-   forward any packets it receives that aren't destined for any of its
-   interfaces according to its routing table and firewall rules.
+  Setting =net.inet.ip.forwarding= to =1= tells the kernel to
+  forward any packets it receives that aren't destined for any of its
+  interfaces according to its routing table and firewall rules.
 
-** PF
-   At this point, we're forwarding the incoming packets out the VPN
-   tunnel, but they have no method to find their way back to us. This
-   is because when we're forwarding them, they still have their LAN
-   (Local Area Network) IP addresses (=192.168.X.X=) as the sender
-   address. In order for these to successfully traverse the internet,
-   they're going to need a WAN (Wide Area Network) address. That's
-   what you might call an external IP.
+* PF
+  At this point, we're forwarding the incoming packets out the VPN
+  tunnel, but they have no method to find their way back to us. This
+  is because when we're forwarding them, they still have their LAN
+  (Local Area Network) IP addresses (=192.168.0.X=) as the sender
+  address. In order for these to successfully traverse the internet,
+  they're going to need a WAN (Wide Area Network) address. That's
+  what you might call an external IP.
 
-   To accomplish this, we use something called a NAT (Network Address
-   Translation). This allows us to map many local (LAN), IP
-   addresses to a single external (WAN) IP address. We do this using
-   OpenBSD's firewall, PF.
+  To accomplish this, we use something called a NAT (Network Address
+  Translation). This allows us to map many local (LAN), IP
+  addresses to a single external (WAN) IP address. We do this using
+  OpenBSD's firewall, PF.
 
-   This is what our new [[http://man.openbsd.org/man5/pf.conf.5][=pf.conf(5)=]] will look like.
+  This is what our new [[http://man.openbsd.org/man5/pf.conf.5][=pf.conf(5)=]] will look like.
 
-   #+BEGIN_SRC c
-   set skip on lo
+  #+BEGIN_SRC c
+  set skip on lo
 
-   block return # block stateless traffic
+  block return # block stateless traffic
+  # pass       # establish keep-state
 
-   # By default, do not permit remote connections to X11
-   block return in on ! lo0 proto tcp to port 6000:6010
+  # By default, do not permit remote connections to X11
+  block return in on ! lo0 proto tcp to port 6000:6010
 
-   # Port build user does not need network
-   block return out log proto {tcp udp} user _pbuild
+  # Port build user does not need network
+  block return out log proto {tcp udp} user _pbuild
 
-   #####################################
-   # VPN
-   #####################################
+  #####################################
+  # VPN
+  #####################################
 
-   ext_if = "vio0"
+  ext_if = "vio0"
 
-   pass in on $ext_if
-   pass out on $ext_if from self # ($ext_if)
+  pass in on $ext_if
+  pass out on $ext_if from self # ($ext_if)
 
-   match out on tun0 from $ext_if:network to any nat-to (tun0)
-   pass out on tun0
-   #+END_SRC
+  match out on tun0 from $ext_if:network to any nat-to (tun0)
+  pass out on tun0
+  #+END_SRC
 
-   Let's go through this line by line to see what's going on.
+  Let's go through this line by line to see what's going
+  on. Something that's important to note with pf is that the last
+  matching rule determines the fate of a packet. This means that if a
+  packet matches a =block= rule, but then matches a =pass= rule
+  afterwards and is not blocked again, the packet is allowed through,
+  and vice versa.
+
+  - =set skip on lo= Do not evaluate traffic coming over [[https://man.openbsd.org/man4/lo.4][loopback]]
+    devices, this is a default rule and we can leave it.
+
+  - =block return= Block any packet that doesn't match any =pass=
+    rule. The =return= tells pf to block packets, but issue a =TCP
+    RST= for TCP packets, and =ICMP UNREACHABLE= for ICMP packets,
+    instead of just dropping them.
+
+  - =# pass= This rule is commented out, but left in for illustrative
+    purposes. The default =pf.conf= passes any traffic that isn't
+    explicitly blocked. By commenting this line out we are inverting
+    that. Everything is blocked unless we explicitly pass it.
author	Dante Catalfamo	2020-08-16 16:50:08 -0400
committer	Dante Catalfamo	2020-08-16 16:50:08 -0400
commit	e2ad5362ca47ee15b6a99a939796e9f0b9373d77 (patch)
tree	6e994e093c6630bf8e5f7de44b38e22755945d67 /content/posts/openbsd-vpn-gateway
parent	ec2c196f119808dac07927d1fb74cd9c8d6c1fee (diff)
download	blog-e2ad5362ca47ee15b6a99a939796e9f0b9373d77.tar.gz blog-e2ad5362ca47ee15b6a99a939796e9f0b9373d77.tar.bz2 blog-e2ad5362ca47ee15b6a99a939796e9f0b9373d77.zip