vpn-gateway: begin new PF section

1 files changed, 42 insertions, 0 deletions

diff --git a/content/posts/openbsd-vpn-gateway/index.org b/content/posts/openbsd-vpn-gateway/index.org
index 59082a1..1b07a26 100644
--- a/content/posts/openbsd-vpn-gateway/index.org
+++ b/content/posts/openbsd-vpn-gateway/index.org
@@ -227,3 +227,45 @@
    Setting =net.inet.ip.forwarding= to =1= tells the kernel to
    forward any packets it receives that aren't destined for any of its
    interfaces according to its routing table and firewall rules.
+
+** PF
+   At this point, we're forwarding the incoming packets out the VPN
+   tunnel, but they have no method to find their way back to us. This
+   is because when we're forwarding them, they still have their LAN
+   (Local Area Network) IP addresses (=192.168.X.X=) as the sender
+   address. In order for these to successfully traverse the internet,
+   they're going to need a WAN (Wide Area Network) address. That's
+   what you might call an external IP.
+
+   To accomplish this, we use something called a NAT (Network Address
+   Translation). This allows us to map many local (LAN), IP
+   addresses to a single external (WAN) IP address. We do this using
+   OpenBSD's firewall, PF.
+
+   This is what our new [[http://man.openbsd.org/man5/pf.conf.5][=pf.conf(5)=]] will look like.
+
+   #+BEGIN_SRC c
+   set skip on lo
+
+   block return # block stateless traffic
+
+   # By default, do not permit remote connections to X11
+   block return in on ! lo0 proto tcp to port 6000:6010
+
+   # Port build user does not need network
+   block return out log proto {tcp udp} user _pbuild
+
+   #####################################
+   # VPN
+   #####################################
+
+   ext_if = "vio0"
+
+   pass in on $ext_if
+   pass out on $ext_if from self # ($ext_if)
+
+   match out on tun0 from $ext_if:network to any nat-to (tun0)
+   pass out on tun0
+   #+END_SRC
+
+   Let's go through this line by line to see what's going on.