vpn-gateway: add sysctl section

1 files changed, 28 insertions, 0 deletions

diff --git a/content/posts/openbsd-vpn-gateway/index.org b/content/posts/openbsd-vpn-gateway/index.org
index e1aadd0..59082a1 100644
--- a/content/posts/openbsd-vpn-gateway/index.org
+++ b/content/posts/openbsd-vpn-gateway/index.org
@@ -199,3 +199,31 @@
 
    This should output your current external IP address, which should
    belong to your VPN provider.
+
+** sysctl
+   OpenVPN should have already reconfigured the our routing table to
+   send all of our traffic over the VPN connection, but how do we pass
+   incoming traffic through it?
+
+   The first step is to allow the kernel to forward IP packets
+   destined for other hosts. To set this option in the kernel we use
+   the [[https://man.openbsd.org/man8/sysctl.8][=sysctl(8)=]] command.
+
+   #+BEGIN_SRC shell
+   doas sysctl net.inet.ip.forwarding=1
+   #+END_SRC
+
+   We're also going to want to make this option persistent, so it
+   remains even after rebooting. To do this we add the option to our
+   [[https://man.openbsd.org/man5/sysctl.conf.5][=sysctl.conf(5)=]], which re-applies =sysctl= options on boot.
+
+   #+BEGIN_SRC shell
+   doas sh -c 'echo "net.inet.ip.forwarding=1" >> /etc/sysctl.conf'
+   #+END_SRC
+
+   This can of course also be done with a text editor like =vi= or
+   =mg=.
+
+   Setting =net.inet.ip.forwarding= to =1= tells the kernel to
+   forward any packets it receives that aren't destined for any of its
+   interfaces according to its routing table and firewall rules.