diff options
| -rw-r--r-- | content/posts/openbsd-vpn-gateway/index.org | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/content/posts/openbsd-vpn-gateway/index.org b/content/posts/openbsd-vpn-gateway/index.org index bea94c1..c961f82 100644 --- a/content/posts/openbsd-vpn-gateway/index.org +++ b/content/posts/openbsd-vpn-gateway/index.org @@ -314,23 +314,23 @@ us/ out on our external interface, this will allow OpenVPN to communicate with the VPN server without us having to worry about accidentally passing forwarded traffic to the open internet - outside of the VPN connection, should OpenVPN ever die. =self= + outside of the VPN connection, should OpenVPN ever fail. =self= expands to all IPs belonging to interfaces on our host machine. - =match out on $vpn_if from $ext_if:network to any nat-to ($vpn_if)= This is a big rule, let's break it down into smaller pieces. - - =match= A [[https://man.openbsd.org/OpenBSD-6.7/pf.conf.5#match][match]] rule is usually used to either transform or tag + - =match= A [[https://man.openbsd.org/OpenBSD-6.7/pf.conf.5#match][match]] rule is usually used to either apply options to a packet. It does not block or pass a packet itself, but lets pf know how to handle a packet once it is blocked or passed. Unlike =block= or =pass= rules, a single packet can match many =match= rules, and have them all apply. - =out on $vpn_if from $ext_if:network to any= This tells the - =match= command which packets it should apply its action to. + =match= command which packets it should apply the option to. - - =on $vpn_if= Packets going out on =$vpn_if= (which gets - evaluated to =vio0=). + - =on $vpn_if= Packets going out on =$vpn_if=, which gets + evaluated to =tun0=. - =from $ext_if:network= Packets coming from =$ext_if:network=. Since =$ext_if= gets evaluated to =vio0=, |