diff options
| -rw-r--r-- | content/posts/openbsd-vpn-gateway/index.org | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/content/posts/openbsd-vpn-gateway/index.org b/content/posts/openbsd-vpn-gateway/index.org index 0fff8d7..e2bcf9b 100644 --- a/content/posts/openbsd-vpn-gateway/index.org +++ b/content/posts/openbsd-vpn-gateway/index.org @@ -346,13 +346,14 @@ Notice that =($vpn_if)= is in parentheses. This tells pf to re-evaluate the rule when the status of =$vpn_if= - changes. Without this, if the VPN has to restart, and the - interface gets created and destroyed by OpenVPN, or of OpenVPN - starts after pf, the entire firewall configuration would have to - be manually reloaded. + changes. Without this, if the VPN has to restart, and OpenVPN + gets assigned a new IP, the entire firewall configuration would + have to be manually reloaded. Even worse, if OpenVPN starts + after pf and there was no IP assigned to =tun0=, the rule set + would fail to load. With the parentheses, this rule will get updated as =tun0= get - updated. This includes going created or destroyed, or even - changing IP addresses. This way it's possible to have OpenVPN - reconnect itself should the connection drop without any user - intervention. + updated. This way pf is always using the IP address currently + assigned to the interface, even if it changes. + + - =pass out on $vpn_if= Pass packets out on the OpenVPN interface. |