diff options
| author | Dante Catalfamo | 2020-08-28 17:17:06 -0400 |
|---|---|---|
| committer | Dante Catalfamo | 2020-08-28 17:17:06 -0400 |
| commit | c6b8911e7f9eda933b683fb11397b3d37a6d9311 (patch) | |
| tree | bedabe5592b610582f49fd4159100f0befbfb8a5 /content | |
| parent | 17bfdc179295741982c21aa2d14353c88fbca5af (diff) | |
| download | blog-c6b8911e7f9eda933b683fb11397b3d37a6d9311.tar.gz blog-c6b8911e7f9eda933b683fb11397b3d37a6d9311.tar.bz2 blog-c6b8911e7f9eda933b683fb11397b3d37a6d9311.zip | |
vpn-gateway: more small corrections
Diffstat (limited to 'content')
| -rw-r--r-- | content/posts/openbsd-vpn-gateway/index.org | 29 |
1 files changed, 14 insertions, 15 deletions
diff --git a/content/posts/openbsd-vpn-gateway/index.org b/content/posts/openbsd-vpn-gateway/index.org index 41cd60c..9d5bcd2 100644 --- a/content/posts/openbsd-vpn-gateway/index.org +++ b/content/posts/openbsd-vpn-gateway/index.org @@ -185,8 +185,8 @@ ** rcctl We can now set the OpenVPN daemon to launch at boot with our - modified profile using =rcctl=. =rcctl= is a tool that comes with - OpenBSD which modifies =/etc/rc.conf.local= on our behalf to + modified profile using [[https://man.openbsd.org/man8/rcctl.8][=rcctl(8)=]]. =rcctl= is a tool that comes + with OpenBSD which modifies =/etc/rc.conf.local= on our behalf to ensure it's done properly. The use of =rcctl= is not strictly required, but highly recommended. @@ -201,15 +201,14 @@ - =rcctl set openvpn flags --config /root/profile.ovpn= sets the launch flags for =openvpn= to =--config /root/profile.ovpn=. This - is an OpenVPN option that tells it to load its config from - =/root/profile.ovpn=. + is an OpenVPN option that tells it to load our config. - =rcctl start openvpn= starts the =openvpn= daemon. If things are configured correctly, we should now see a =tun= - device in our =ifconfig=, and our traffic should be going through - the VPN. To check this we can make a request to a service like - https://icanhazip.com or https://ifconfig.so using the =ftp= + device in our =ifconfig= output, and our traffic should be going + through the VPN. To check this we can make a request to a service + like https://icanhazip.com or https://ifconfig.so using the =ftp= command. #+BEGIN_SRC shell @@ -218,7 +217,7 @@ It should output an IP that belongs to our VPN provider. - We can also check =/var/log/daemon= to check that OpenVPN is + We can also look at =/var/log/daemon= to check that OpenVPN is outputting logs. OpenVPN should have already reconfigured the our routing table to @@ -257,7 +256,8 @@ a single external (WAN) IP address. We do this using OpenBSD's firewall, PF. - This is what our new [[http://man.openbsd.org/man5/pf.conf.5][=pf.conf(5)=]] will look like. + To modify the behaviour of PF, we edit our system's + [[http://man.openbsd.org/man5/pf.conf.5][=pf.conf(5)=]]. This is what it will look like. #+BEGIN_SRC c set skip on lo @@ -312,8 +312,7 @@ - =block return out log proto {tcp udp} user _pbuild= This is another default rule, left in for security reasons. It stops the - =_pbuild= user from accessing the internet. This is to stop ports - builds from accessing any resources online. + =_pbuild= user from accessing the internet. - =ext_if = "vio0"= We use this macro to set the external interface name. This is done so we only have to set the name of the @@ -343,7 +342,7 @@ rules, and have them all apply. - =out on $vpn_if from $ext_if:network to any= This tells the - =match= command which packets it should apply the option to. + =match= command which packets it should apply the option to: - =out on $vpn_if= Packets going out on =$vpn_if=, which gets evaluated to =tun0=. @@ -430,9 +429,9 @@ The situation for Linux servers is a bit more of a mess. As covered in the previously linked article, Ubuntu now likes to use the =netplan= framework, while others like Fedora may prefer =nmcli= as - stated in [[https://linuxconfig.org/how-to-configure-static-ip-address-on-fedora-31][this]] article, or =network-scripts= as states [[https://www.systutorials.com/how-to-set-the-static-ip-address-using-cli-in-fedoracentos-linux/][here]]. If you - take this path it's recommended you look into how it should be done - on your specific Linux distribution. + stated in [[https://linuxconfig.org/how-to-configure-static-ip-address-on-fedora-31][this]] article, or =network-scripts= as stated [[https://www.systutorials.com/how-to-set-the-static-ip-address-using-cli-in-fedoracentos-linux/][here]]. If you + wish to set this up on a Linux sever, it's recommended you look + into how it should be done on your specific Linux distribution. ** Containers/Jails Most graphical LXC container or Jail host software like [[https://www.proxmox.com/en/proxmox-ve][Proxmox-VE]] |