PF How to access local network when connected to VPN

[gazsiazasz]

I have local network (192.168.1.0/24) facing interface: en0 with address 192.168.1.243.
When I am connected to the VPN, I have also the utun4 interface with address: 10.19.20.5. The VPN also installs a second default route with gateway to this address (overriding the original one), and adds I flag to my previous default route via 192.168.1.1. Because of this, all the packets going out having the 10.19.20.5 as source address and are going out via the utun4 interface.

The default route cannot be changed or deleted when connected to the VPN, because it reverts it back almost immediately.

netstat -rn                                                    
Routing tables

Internet:
Destination        Gateway            Flags               Netif Expire
default            10.19.20.5         UGScg               utun4       
default            192.168.1.1        UGScIg                en0

My question is: which pf rules do I need to be able to access my local network? So packets destined to 192.168.1.0/24 are going out on en0 interface with source address of the en0 interface, and the reply packets are routed back to the utun4 interface with destination address of the utun4 interface.

 

[SirDice]

When I am connected to the VPN

What VPN?

The VPN also installs a second default route with gateway to this address (overriding the original one), and adds I flag to my previous default route via 192.168.1.1. Because of this, all the packets going out having the 10.19.20.5 as source address and are going out via the utun4 interface.

Sure, that's probably the default. You can configure the VPN server NOT to do this though, that might be a better solution. But this depends on which VPN software (server and client) you're using.

 

[covacat]

this looks like a mac
also you probably have a checkbox do only permit vpn traffic or something otherwise the en0 route for 192.168.1.0/24 should still exist

 

[gazsiazasz]

What VPN?

Its global protect vpn

Sure, that's probably the default. You can configure the VPN server NOT to do this though, that might be a better solution. But this depends on which VPN software (server and client) you're using.

Unfortunately there is no option to configure anything on the client, that's why it needed to be done with help of pf.
I could make packets reaching hosts on local network with the following rules:

nat on utun4 to 192.168.1.0/24 -> (en0)

pass out route-to en0 from (en0) to 192.168.1.0/24 keep state

but the replies has the en0 interface ip address as destination, so I guess they are discarded because of not having the same destination address as the source address was for the request packets.

 

[VladiBG]

Double check your network mask. If your interface 192.168.1.243 is with network mask /32 (255.255.255.255) then all requests will go to the router at 192.168.1.1 (default gateway). If your network mask is /24 (255.255.255.0) then anything in the range of 192.168.1.1-192.168.1.254 will be reachable without using the router at 192.168.1.1. (expecting other devices are in the same L2 with correct network mask /24)

 

[gazsiazasz]

Double check your network mask. If your interface 192.168.1.243 is with network mask /32 (255.255.255.255) then all requests will go to the router at 192.168.1.1 (default gateway). If your network mask is /24 (255.255.255.0) then anything in the range of 192.168.1.1-192.168.1.254 will be reachable without using the router at 192.168.1.1. (expecting other devices are in the same L2 with correct network mask /24)

The the en0 interface has /24 (other devices on the network having the same /24 and are on the same L2 as the en0 interface) and the utun4 interface has /32 mask, so all the packets going out from the computer going through this interface and having the source address of the utun interface.

 

[SirDice]

Let me state something that might not be obvious to a new user to our forums; we do not support MacOS. We focus on FreeBSD and this section specifically, PF, IPFW or IPFirewall on FreeBSD. If you are running MacOS, I suggest you find a more MacOS/Apple centered forum to ask your questions.

Rule #7: FreeBSD Forums Rules

 

[RypPn]

On your mac, just put the ip addresses in /private/etc/hosts