summaryrefslogtreecommitdiffstats
path: root/content
diff options
context:
space:
mode:
Diffstat (limited to 'content')
-rw-r--r--content/posts/openbsd-vpn-gateway/index.org123
1 files changed, 71 insertions, 52 deletions
diff --git a/content/posts/openbsd-vpn-gateway/index.org b/content/posts/openbsd-vpn-gateway/index.org
index 1b07a26..c581f4c 100644
--- a/content/posts/openbsd-vpn-gateway/index.org
+++ b/content/posts/openbsd-vpn-gateway/index.org
@@ -1,5 +1,5 @@
#+TITLE: Creating a VPN Gateway with OpenBSD 6.7
-#+DATE: 2020-07-11T13:48:25-04:00
+#+DATE: 2020-08-16T16:35:47-04:00
#+DRAFT: true
#+DESCRIPTION:
#+TAGS[]: openbsd openvpn
@@ -200,72 +200,91 @@
This should output your current external IP address, which should
belong to your VPN provider.
-** sysctl
- OpenVPN should have already reconfigured the our routing table to
- send all of our traffic over the VPN connection, but how do we pass
- incoming traffic through it?
+* sysctl
+ OpenVPN should have already reconfigured the our routing table to
+ send all of our traffic over the VPN connection, but how do we pass
+ incoming traffic through it?
- The first step is to allow the kernel to forward IP packets
- destined for other hosts. To set this option in the kernel we use
- the [[https://man.openbsd.org/man8/sysctl.8][=sysctl(8)=]] command.
+ The first step is to allow the kernel to forward IP packets
+ destined for other hosts. To set this option in the kernel we use
+ the [[https://man.openbsd.org/man8/sysctl.8][=sysctl(8)=]] command.
- #+BEGIN_SRC shell
- doas sysctl net.inet.ip.forwarding=1
- #+END_SRC
+ #+BEGIN_SRC shell
+ doas sysctl net.inet.ip.forwarding=1
+ #+END_SRC
- We're also going to want to make this option persistent, so it
- remains even after rebooting. To do this we add the option to our
- [[https://man.openbsd.org/man5/sysctl.conf.5][=sysctl.conf(5)=]], which re-applies =sysctl= options on boot.
+ We're also going to want to make this option persistent, so it
+ remains even after rebooting. To do this we add the option to our
+ [[https://man.openbsd.org/man5/sysctl.conf.5][=sysctl.conf(5)=]], which re-applies =sysctl= options on boot.
- #+BEGIN_SRC shell
- doas sh -c 'echo "net.inet.ip.forwarding=1" >> /etc/sysctl.conf'
- #+END_SRC
+ #+BEGIN_SRC shell
+ doas sh -c 'echo "net.inet.ip.forwarding=1" >> /etc/sysctl.conf'
+ #+END_SRC
- This can of course also be done with a text editor like =vi= or
- =mg=.
+ This can of course also be done with a text editor like =vi= or
+ =mg=.
- Setting =net.inet.ip.forwarding= to =1= tells the kernel to
- forward any packets it receives that aren't destined for any of its
- interfaces according to its routing table and firewall rules.
+ Setting =net.inet.ip.forwarding= to =1= tells the kernel to
+ forward any packets it receives that aren't destined for any of its
+ interfaces according to its routing table and firewall rules.
-** PF
- At this point, we're forwarding the incoming packets out the VPN
- tunnel, but they have no method to find their way back to us. This
- is because when we're forwarding them, they still have their LAN
- (Local Area Network) IP addresses (=192.168.X.X=) as the sender
- address. In order for these to successfully traverse the internet,
- they're going to need a WAN (Wide Area Network) address. That's
- what you might call an external IP.
+* PF
+ At this point, we're forwarding the incoming packets out the VPN
+ tunnel, but they have no method to find their way back to us. This
+ is because when we're forwarding them, they still have their LAN
+ (Local Area Network) IP addresses (=192.168.0.X=) as the sender
+ address. In order for these to successfully traverse the internet,
+ they're going to need a WAN (Wide Area Network) address. That's
+ what you might call an external IP.
- To accomplish this, we use something called a NAT (Network Address
- Translation). This allows us to map many local (LAN), IP
- addresses to a single external (WAN) IP address. We do this using
- OpenBSD's firewall, PF.
+ To accomplish this, we use something called a NAT (Network Address
+ Translation). This allows us to map many local (LAN), IP
+ addresses to a single external (WAN) IP address. We do this using
+ OpenBSD's firewall, PF.
- This is what our new [[http://man.openbsd.org/man5/pf.conf.5][=pf.conf(5)=]] will look like.
+ This is what our new [[http://man.openbsd.org/man5/pf.conf.5][=pf.conf(5)=]] will look like.
- #+BEGIN_SRC c
- set skip on lo
+ #+BEGIN_SRC c
+ set skip on lo
- block return # block stateless traffic
+ block return # block stateless traffic
+ # pass # establish keep-state
- # By default, do not permit remote connections to X11
- block return in on ! lo0 proto tcp to port 6000:6010
+ # By default, do not permit remote connections to X11
+ block return in on ! lo0 proto tcp to port 6000:6010
- # Port build user does not need network
- block return out log proto {tcp udp} user _pbuild
+ # Port build user does not need network
+ block return out log proto {tcp udp} user _pbuild
- #####################################
- # VPN
- #####################################
+ #####################################
+ # VPN
+ #####################################
- ext_if = "vio0"
+ ext_if = "vio0"
- pass in on $ext_if
- pass out on $ext_if from self # ($ext_if)
+ pass in on $ext_if
+ pass out on $ext_if from self # ($ext_if)
- match out on tun0 from $ext_if:network to any nat-to (tun0)
- pass out on tun0
- #+END_SRC
+ match out on tun0 from $ext_if:network to any nat-to (tun0)
+ pass out on tun0
+ #+END_SRC
- Let's go through this line by line to see what's going on.
+ Let's go through this line by line to see what's going
+ on. Something that's important to note with pf is that the last
+ matching rule determines the fate of a packet. This means that if a
+ packet matches a =block= rule, but then matches a =pass= rule
+ afterwards and is not blocked again, the packet is allowed through,
+ and vice versa.
+
+ - =set skip on lo= Do not evaluate traffic coming over [[https://man.openbsd.org/man4/lo.4][loopback]]
+ devices, this is a default rule and we can leave it.
+
+ - =block return= Block any packet that doesn't match any =pass=
+ rule. The =return= tells pf to block packets, but issue a =TCP
+ RST= for TCP packets, and =ICMP UNREACHABLE= for ICMP packets,
+ instead of just dropping them.
+
+ - =# pass= This rule is commented out, but left in for illustrative
+ purposes. The default =pf.conf= passes any traffic that isn't
+ explicitly blocked. By commenting this line out we are inverting
+ that. Everything is blocked unless we explicitly pass it.
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-30 10:18:03 +0000