From bb7168a3bd9aa8246de9f21a7f4e8e026d721189 Mon Sep 17 00:00:00 2001
From: Dante Catalfamo
Date: Sun, 16 Aug 2020 17:46:14 -0400
Subject: gateway: write more, add wikipedia and openbsd man links

---
 content/posts/openbsd-vpn-gateway/index.org | 42 +++++++++++++++++++++++++----
 1 file changed, 37 insertions(+), 5 deletions(-)

(limited to 'content')

diff --git a/content/posts/openbsd-vpn-gateway/index.org b/content/posts/openbsd-vpn-gateway/index.org
index efb1208..ea3fdf9 100644
--- a/content/posts/openbsd-vpn-gateway/index.org
+++ b/content/posts/openbsd-vpn-gateway/index.org
@@ -264,7 +264,7 @@
   vpn_if = "tun0"
 
   pass in on $ext_if
-  pass out on $ext_if from self # ($ext_if)
+  pass out on $ext_if from self
 
   match out on $vpn_if from $ext_if:network to any nat-to ($vpn_if)
   pass out on $vpn_if
@@ -277,12 +277,12 @@
   afterwards and is not blocked again, the packet is allowed through,
   and vice versa.
 
-  - =set skip on lo= Do not evaluate traffic coming over [[https://man.openbsd.org/man4/lo.4][loopback]]
+  - =set skip on lo= [[https://man.openbsd.org/OpenBSD-6.7/pf.conf.5#set~14][Do not filter]] traffic coming over [[https://man.openbsd.org/man4/lo.4][loopback]]
     devices, this is a default rule and we can leave it.
 
-  - =block return= Block any packet that doesn't match any =pass=
+  - =block return= [[https://man.openbsd.org/man5/pf.conf.5#block][Block]] any packet that doesn't match any =pass=
     rule. The =return= tells pf to block packets, but issue a =TCP
-    RST= for TCP packets, and =ICMP UNREACHABLE= for ICMP packets,
+    RST= for [[https://en.wikipedia.org/wiki/Transmission_Control_Protocol][TCP]] packets, and =ICMP UNREACHABLE= for [[https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol][ICMP]] packets,
     instead of just dropping them.
 
   - =# pass= This rule is commented out, but left in for illustrative
@@ -304,4 +304,36 @@
     name. This is done so we only have to set the name of the
     interface in one place, should we ever need to change it.
 
-  -
+  - =vpn_if = "tun0"= This is similar to the rule above, except for
+    the VPN tunnel interface.
+
+  - =pass in on $ext_if= [[https://man.openbsd.org/OpenBSD-6.7/pf.conf.5#pass][Pass]] all traffic coming in on our external
+    interface. This is how we receive traffic from the network.
+
+  - =pass out on $ext_if from self= Pass all traffic /originating from
+    us/ out on our external interface, this will allow OpenVPN to
+    communicate with the VPN server without us having to worry about
+    accidentally passing forwarded traffic to the open internet
+    outside of the VPN connection, should OpenVPN ever die. =self=
+    expands to all IPs belonging to interfaces on our host machine.
+
+  - =match out on $vpn_if from $ext_if:network to any nat-to
+    ($vpn_if)= This is a big rule, let's break it down into smaller pieces.
+
+    - =match= A [[https://man.openbsd.org/OpenBSD-6.7/pf.conf.5#match][match]] rule is usually used to either transform or tag
+      a packet. It does not block or pass a packet itself, but lets pf
+      know how to handle a packet once it is blocked or passed. Unlike
+      =block= or =pass= rules, a single packet can match many =match=
+      rules, and have them all apply.
+
+    - =out on $vpn_if from $ext_if:network to any= This tells the
+      =match= command which packets it should apply its action to.
+
+      - =on $vpn_if= Packets going out on =$vpn_if= (which gets
+        evaluated to =vio0=).
+
+      - =from $ext_if:network= Packets coming from
+        =$ext_if:network=. Since =$ext_if= gets evaluated to =vio0=,
+        it becomes =vio0:network=. [[https://man.openbsd.org/OpenBSD-6.7/pf.conf.5#:network][=:network=]] evaluates to the network
+        attached to an interface. In our case, it translates to
+        =192.168.0.0/24=.
-- 
cgit v1.2.3