Hello, I'm currently trying to accomplish what is described here: https://bbs.archlinux.org/viewtopic.php?id=224655 on FreeBSD using IPFW.
These rules from iptables are restricting connections through tun0 interface only, with exception that it is allowing output connections to 209.222.18.222/32 and 209.222.18.218/32 (PIA DNS) and UDP connections on port 1198 (the port VPN .conf is using):
My Brazil.conf file:
My resolv.conf file:
I added the immutable status on it:
These are the IPFW rules (/etc/ipfw.rules) I constructed trying to mimic the behavior from the iptables rules above:
This is how my firewall rules are when enabled:
re0 is my default ethernet device, tun0 is the virtual device created by openvpn.
I added these lines on /etc/rc.conf:
When I execute this command without IPFW enabled:
I get the connection to the VPN server successfully, everything works as expected.
If I do the same but with IPFW enabled I'm unable to connect to PIA servers when executing the same command, this is the output:
It seems that my last 3 IPFW rules are not working as expected since my system is unable to resolve PIA VPN hostname (notice that I'm "whitelisting" the DNS addresses from PIA on /etc/resolv.conf), I'm doing something wrong, can someone please help on this? I can give you more details about my system if you needed.
These rules from iptables are restricting connections through tun0 interface only, with exception that it is allowing output connections to 209.222.18.222/32 and 209.222.18.218/32 (PIA DNS) and UDP connections on port 1198 (the port VPN .conf is using):
Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:10]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 209.222.18.222/32 -j ACCEPT
-A OUTPUT -d 209.222.18.218/32 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 1198 -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-net-unreachable
COMMIT
My Brazil.conf file:
Code:
client
dev tun
proto udp
remote brazil.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass /usr/local/etc/openvpn/pass.txt
auth-nocache
comp-lzo
verb 1
reneg-sec 0
crl-verify /usr/local/etc/openvpn/crl.rsa.2048.pem
ca /usr/local/etc/openvpn/ca.rsa.2048.crt
disable-occ
My resolv.conf file:
Code:
# Generated by resolvconf
nameserver 209.222.18.222
nameserver 209.222.18.218
I added the immutable status on it:
Code:
sudo chflags schg /etc/resolv.conf
These are the IPFW rules (/etc/ipfw.rules) I constructed trying to mimic the behavior from the iptables rules above:
Code:
#!/bin/bash
# Flush out the list before we begin
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
vpn="tun0"
default="re0"
# allow all local traffic on the loopback interface
$cmd 00001 allow all from any to any via lo0
# allow any connection to/from VPN interface
$cmd 00010 allow all from any to any via $vpn
# allow connection to/from LAN
$cmd 00101 allow all from me to 192.168.0.1/24
$cmd 00102 allow all from 192.168.0.1/24 to me
# allow connection to PIA VPN servers and PIA VPN DNS
$cmd 00112 allow all from any to 209.222.18.222/32 out via $default
$cmd 00113 allow all from any to 209.222.18.218/32 out via $default
$cmd 00114 allow udp from any to any 1198 out via $default
This is how my firewall rules are when enabled:
Code:
00001 allow ip from any to any via lo0
00010 allow ip from any to any via tun0
00101 allow ip from me to 192.168.0.0/24
00102 allow ip from 192.168.0.0/24 to me
00112 allow ip from any to 209.222.18.222 out via re0
00113 allow ip from any to 209.222.18.218 out via re0
00114 allow udp from any to any 1198 out via re0
65535 deny ip from any to any
re0 is my default ethernet device, tun0 is the virtual device created by openvpn.
I added these lines on /etc/rc.conf:
Code:
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
When I execute this command without IPFW enabled:
Code:
sudo openvpn --config /usr/local/etc/openvpn/Brazil.conf
If I do the same but with IPFW enabled I'm unable to connect to PIA servers when executing the same command, this is the output:
Code:
Sun Jul 22 15:25:21 2018 OpenVPN 2.4.6 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jul 3 2018
Sun Jul 22 15:25:21 2018 library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10
Sun Jul 22 15:26:49 2018 RESOLVE: Cannot resolve host address: brazil.privateinternetaccess.com:1198 (hostname nor servname provided, or not known)
It seems that my last 3 IPFW rules are not working as expected since my system is unable to resolve PIA VPN hostname (notice that I'm "whitelisting" the DNS addresses from PIA on /etc/resolv.conf), I'm doing something wrong, can someone please help on this? I can give you more details about my system if you needed.