diff options
| -rw-r--r-- | content/posts/openbsd-vpn-gateway/index.org | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/content/posts/openbsd-vpn-gateway/index.org b/content/posts/openbsd-vpn-gateway/index.org index c961f82..0fff8d7 100644 --- a/content/posts/openbsd-vpn-gateway/index.org +++ b/content/posts/openbsd-vpn-gateway/index.org @@ -339,3 +339,20 @@ =192.168.0.0/24=. - =to any= Packets with any destination. + + - =nat-to ($vpn_if)= Translate the IP addresses on the matched + packets to the address on =$vpn_if=. In this case =$vpn_if= + evaluates to =tun0=. + + Notice that =($vpn_if)= is in parentheses. This tells pf to + re-evaluate the rule when the status of =$vpn_if= + changes. Without this, if the VPN has to restart, and the + interface gets created and destroyed by OpenVPN, or of OpenVPN + starts after pf, the entire firewall configuration would have to + be manually reloaded. + + With the parentheses, this rule will get updated as =tun0= get + updated. This includes going created or destroyed, or even + changing IP addresses. This way it's possible to have OpenVPN + reconnect itself should the connection drop without any user + intervention. |