diff options
Diffstat (limited to 'content/posts/openbsd-vpn-gateway')
| -rw-r--r-- | content/posts/openbsd-vpn-gateway/index.org | 123 |
1 files changed, 71 insertions, 52 deletions
diff --git a/content/posts/openbsd-vpn-gateway/index.org b/content/posts/openbsd-vpn-gateway/index.org index 1b07a26..c581f4c 100644 --- a/content/posts/openbsd-vpn-gateway/index.org +++ b/content/posts/openbsd-vpn-gateway/index.org @@ -1,5 +1,5 @@ #+TITLE: Creating a VPN Gateway with OpenBSD 6.7 -#+DATE: 2020-07-11T13:48:25-04:00 +#+DATE: 2020-08-16T16:35:47-04:00 #+DRAFT: true #+DESCRIPTION: #+TAGS[]: openbsd openvpn @@ -200,72 +200,91 @@ This should output your current external IP address, which should belong to your VPN provider. -** sysctl - OpenVPN should have already reconfigured the our routing table to - send all of our traffic over the VPN connection, but how do we pass - incoming traffic through it? +* sysctl + OpenVPN should have already reconfigured the our routing table to + send all of our traffic over the VPN connection, but how do we pass + incoming traffic through it? - The first step is to allow the kernel to forward IP packets - destined for other hosts. To set this option in the kernel we use - the [[https://man.openbsd.org/man8/sysctl.8][=sysctl(8)=]] command. + The first step is to allow the kernel to forward IP packets + destined for other hosts. To set this option in the kernel we use + the [[https://man.openbsd.org/man8/sysctl.8][=sysctl(8)=]] command. - #+BEGIN_SRC shell - doas sysctl net.inet.ip.forwarding=1 - #+END_SRC + #+BEGIN_SRC shell + doas sysctl net.inet.ip.forwarding=1 + #+END_SRC - We're also going to want to make this option persistent, so it - remains even after rebooting. To do this we add the option to our - [[https://man.openbsd.org/man5/sysctl.conf.5][=sysctl.conf(5)=]], which re-applies =sysctl= options on boot. + We're also going to want to make this option persistent, so it + remains even after rebooting. To do this we add the option to our + [[https://man.openbsd.org/man5/sysctl.conf.5][=sysctl.conf(5)=]], which re-applies =sysctl= options on boot. - #+BEGIN_SRC shell - doas sh -c 'echo "net.inet.ip.forwarding=1" >> /etc/sysctl.conf' - #+END_SRC + #+BEGIN_SRC shell + doas sh -c 'echo "net.inet.ip.forwarding=1" >> /etc/sysctl.conf' + #+END_SRC - This can of course also be done with a text editor like =vi= or - =mg=. + This can of course also be done with a text editor like =vi= or + =mg=. - Setting =net.inet.ip.forwarding= to =1= tells the kernel to - forward any packets it receives that aren't destined for any of its - interfaces according to its routing table and firewall rules. + Setting =net.inet.ip.forwarding= to =1= tells the kernel to + forward any packets it receives that aren't destined for any of its + interfaces according to its routing table and firewall rules. -** PF - At this point, we're forwarding the incoming packets out the VPN - tunnel, but they have no method to find their way back to us. This - is because when we're forwarding them, they still have their LAN - (Local Area Network) IP addresses (=192.168.X.X=) as the sender - address. In order for these to successfully traverse the internet, - they're going to need a WAN (Wide Area Network) address. That's - what you might call an external IP. +* PF + At this point, we're forwarding the incoming packets out the VPN + tunnel, but they have no method to find their way back to us. This + is because when we're forwarding them, they still have their LAN + (Local Area Network) IP addresses (=192.168.0.X=) as the sender + address. In order for these to successfully traverse the internet, + they're going to need a WAN (Wide Area Network) address. That's + what you might call an external IP. - To accomplish this, we use something called a NAT (Network Address - Translation). This allows us to map many local (LAN), IP - addresses to a single external (WAN) IP address. We do this using - OpenBSD's firewall, PF. + To accomplish this, we use something called a NAT (Network Address + Translation). This allows us to map many local (LAN), IP + addresses to a single external (WAN) IP address. We do this using + OpenBSD's firewall, PF. - This is what our new [[http://man.openbsd.org/man5/pf.conf.5][=pf.conf(5)=]] will look like. + This is what our new [[http://man.openbsd.org/man5/pf.conf.5][=pf.conf(5)=]] will look like. - #+BEGIN_SRC c - set skip on lo + #+BEGIN_SRC c + set skip on lo - block return # block stateless traffic + block return # block stateless traffic + # pass # establish keep-state - # By default, do not permit remote connections to X11 - block return in on ! lo0 proto tcp to port 6000:6010 + # By default, do not permit remote connections to X11 + block return in on ! lo0 proto tcp to port 6000:6010 - # Port build user does not need network - block return out log proto {tcp udp} user _pbuild + # Port build user does not need network + block return out log proto {tcp udp} user _pbuild - ##################################### - # VPN - ##################################### + ##################################### + # VPN + ##################################### - ext_if = "vio0" + ext_if = "vio0" - pass in on $ext_if - pass out on $ext_if from self # ($ext_if) + pass in on $ext_if + pass out on $ext_if from self # ($ext_if) - match out on tun0 from $ext_if:network to any nat-to (tun0) - pass out on tun0 - #+END_SRC + match out on tun0 from $ext_if:network to any nat-to (tun0) + pass out on tun0 + #+END_SRC - Let's go through this line by line to see what's going on. + Let's go through this line by line to see what's going + on. Something that's important to note with pf is that the last + matching rule determines the fate of a packet. This means that if a + packet matches a =block= rule, but then matches a =pass= rule + afterwards and is not blocked again, the packet is allowed through, + and vice versa. + + - =set skip on lo= Do not evaluate traffic coming over [[https://man.openbsd.org/man4/lo.4][loopback]] + devices, this is a default rule and we can leave it. + + - =block return= Block any packet that doesn't match any =pass= + rule. The =return= tells pf to block packets, but issue a =TCP + RST= for TCP packets, and =ICMP UNREACHABLE= for ICMP packets, + instead of just dropping them. + + - =# pass= This rule is commented out, but left in for illustrative + purposes. The default =pf.conf= passes any traffic that isn't + explicitly blocked. By commenting this line out we are inverting + that. Everything is blocked unless we explicitly pass it. |