From 0df61717570f217b83321d67ab94114732a435d4 Mon Sep 17 00:00:00 2001
From: Dante Catalfamo
Date: Sun, 16 Aug 2020 22:00:23 -0400
Subject: gateway: describe nat-to rule

---
 content/posts/openbsd-vpn-gateway/index.org | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'content')

diff --git a/content/posts/openbsd-vpn-gateway/index.org b/content/posts/openbsd-vpn-gateway/index.org
index c961f82..0fff8d7 100644
--- a/content/posts/openbsd-vpn-gateway/index.org
+++ b/content/posts/openbsd-vpn-gateway/index.org
@@ -339,3 +339,20 @@
         =192.168.0.0/24=.
 
       - =to any= Packets with any destination.
+
+    - =nat-to ($vpn_if)= Translate the IP addresses on the matched
+      packets to the address on =$vpn_if=. In this case =$vpn_if=
+      evaluates to =tun0=.
+
+      Notice that =($vpn_if)= is in parentheses. This tells pf to
+      re-evaluate the rule when the status of =$vpn_if=
+      changes. Without this, if the VPN has to restart, and the
+      interface gets created and destroyed by OpenVPN, or of OpenVPN
+      starts after pf, the entire firewall configuration would have to
+      be manually reloaded.
+
+      With the parentheses, this rule will get updated as =tun0= get
+      updated. This includes going created or destroyed, or even
+      changing IP addresses. This way it's possible to have OpenVPN
+      reconnect itself should the connection drop without any user
+      intervention.
-- 
cgit v1.2.3