From d69a1482c9c27c2f285153391b97209891e97786 Mon Sep 17 00:00:00 2001
From: Dante Catalfamo
Date: Sun, 16 Aug 2020 22:07:57 -0400
Subject: gateway: Make correction to pf rules section

---
 content/posts/openbsd-vpn-gateway/index.org | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/content/posts/openbsd-vpn-gateway/index.org b/content/posts/openbsd-vpn-gateway/index.org
index 0fff8d7..e2bcf9b 100644
--- a/content/posts/openbsd-vpn-gateway/index.org
+++ b/content/posts/openbsd-vpn-gateway/index.org
@@ -346,13 +346,14 @@
 
       Notice that =($vpn_if)= is in parentheses. This tells pf to
       re-evaluate the rule when the status of =$vpn_if=
-      changes. Without this, if the VPN has to restart, and the
-      interface gets created and destroyed by OpenVPN, or of OpenVPN
-      starts after pf, the entire firewall configuration would have to
-      be manually reloaded.
+      changes. Without this, if the VPN has to restart, and OpenVPN
+      gets assigned a new IP, the entire firewall configuration would
+      have to be manually reloaded. Even worse, if OpenVPN starts
+      after pf and there was no IP assigned to =tun0=, the rule set
+      would fail to load.
 
       With the parentheses, this rule will get updated as =tun0= get
-      updated. This includes going created or destroyed, or even
-      changing IP addresses. This way it's possible to have OpenVPN
-      reconnect itself should the connection drop without any user
-      intervention.
+      updated. This way pf is always using the IP address currently
+      assigned to the interface, even if it changes.
+
+  - =pass out on $vpn_if= Pass packets out on the OpenVPN interface.
-- 
cgit v1.2.3