diff options
| -rw-r--r-- | content/posts/openbsd-vpn-gateway/index.org | 42 |
1 files changed, 37 insertions, 5 deletions
diff --git a/content/posts/openbsd-vpn-gateway/index.org b/content/posts/openbsd-vpn-gateway/index.org index efb1208..ea3fdf9 100644 --- a/content/posts/openbsd-vpn-gateway/index.org +++ b/content/posts/openbsd-vpn-gateway/index.org @@ -264,7 +264,7 @@ vpn_if = "tun0" pass in on $ext_if - pass out on $ext_if from self # ($ext_if) + pass out on $ext_if from self match out on $vpn_if from $ext_if:network to any nat-to ($vpn_if) pass out on $vpn_if @@ -277,12 +277,12 @@ afterwards and is not blocked again, the packet is allowed through, and vice versa. - - =set skip on lo= Do not evaluate traffic coming over [[https://man.openbsd.org/man4/lo.4][loopback]] + - =set skip on lo= [[https://man.openbsd.org/OpenBSD-6.7/pf.conf.5#set~14][Do not filter]] traffic coming over [[https://man.openbsd.org/man4/lo.4][loopback]] devices, this is a default rule and we can leave it. - - =block return= Block any packet that doesn't match any =pass= + - =block return= [[https://man.openbsd.org/man5/pf.conf.5#block][Block]] any packet that doesn't match any =pass= rule. The =return= tells pf to block packets, but issue a =TCP - RST= for TCP packets, and =ICMP UNREACHABLE= for ICMP packets, + RST= for [[https://en.wikipedia.org/wiki/Transmission_Control_Protocol][TCP]] packets, and =ICMP UNREACHABLE= for [[https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol][ICMP]] packets, instead of just dropping them. - =# pass= This rule is commented out, but left in for illustrative @@ -304,4 +304,36 @@ name. This is done so we only have to set the name of the interface in one place, should we ever need to change it. - - + - =vpn_if = "tun0"= This is similar to the rule above, except for + the VPN tunnel interface. + + - =pass in on $ext_if= [[https://man.openbsd.org/OpenBSD-6.7/pf.conf.5#pass][Pass]] all traffic coming in on our external + interface. This is how we receive traffic from the network. + + - =pass out on $ext_if from self= Pass all traffic /originating from + us/ out on our external interface, this will allow OpenVPN to + communicate with the VPN server without us having to worry about + accidentally passing forwarded traffic to the open internet + outside of the VPN connection, should OpenVPN ever die. =self= + expands to all IPs belonging to interfaces on our host machine. + + - =match out on $vpn_if from $ext_if:network to any nat-to + ($vpn_if)= This is a big rule, let's break it down into smaller pieces. + + - =match= A [[https://man.openbsd.org/OpenBSD-6.7/pf.conf.5#match][match]] rule is usually used to either transform or tag + a packet. It does not block or pass a packet itself, but lets pf + know how to handle a packet once it is blocked or passed. Unlike + =block= or =pass= rules, a single packet can match many =match= + rules, and have them all apply. + + - =out on $vpn_if from $ext_if:network to any= This tells the + =match= command which packets it should apply its action to. + + - =on $vpn_if= Packets going out on =$vpn_if= (which gets + evaluated to =vio0=). + + - =from $ext_if:network= Packets coming from + =$ext_if:network=. Since =$ext_if= gets evaluated to =vio0=, + it becomes =vio0:network=. [[https://man.openbsd.org/OpenBSD-6.7/pf.conf.5#:network][=:network=]] evaluates to the network + attached to an interface. In our case, it translates to + =192.168.0.0/24=. |