IPFW jail as openvpn gateway with "killswitch". 95% done

[LeoSum]

Hi all,
as the title says, I am trying to set up a jail that acts as VPN gateway for other jails and machines on my network. I would like to configure the firewall in a way that will not allow any network traffic if the VPN is down for any reason (called "killswitch" hereafter).

I think I am allmost there. I can separately achieve the jail acting as a vpn gateway and I can achieve the "killswitch" part. But not both at the same time.

If I comment out the last line of my ipfw setup, the "killswitch" is disabled, but the jail works fine as gateway.
If I comment in the last line, the "killswitch" works, but the gateway is no longer usable by other clients on the network.

I assume I am missing one "allow" command for ipfw in my "up.sh" but can't seem to find it.

Here is what I have so far:

cat /etc/rc.conf

portmap_enable="NO"
sshd_enable="NO"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
hostname="vpn_gateway_1"
devfs_enable="YES"
devfs_system_ruleset="devfsrules_common"
inet6_enable="YES"
ip6addrctl_enable="YES"
sshd_enable=YES
openvpn_enable="YES"
openvpn_configfile=/usr/local/etc/openvpn/openvpn.conf
firewall_enable="YES"
gateway_enable="YES"

cat /usr/local/etc/openvpn/openvpn.conf

client
dev tun
proto tcp
remote vpnserver.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
ca ca.vpnserver.com.crt
verify-x509-name vpnserver.com name
auth-user-pass pass.txt
comp-lzo
verb 3
auth SHA256
cipher AES-256-CBC
keysize 256
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA
log /usr/local/etc/openvpn/openvpn.log
status /usr/local/etc/openvpn/openvpn-status.log
mute-replay-warnings
inactive 0
auth-nocache
ping 10
script-security 2
route-up /usr/home/vpn_man/up.sh

cat /usr/home/vpn_man/up.sh

#!/bin/sh

TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
VPN_Server="xxx"
LOCAL_IP="xxx/24"
DNS1="208.67.222.222"
DNS2="91.239.100.100"
VPN_IPs1="xxx/23"
VPN_IPs2="xxx/23"
VPN_IPs3="xxx/23"
VPN_IPs4="xxx/23"
VPN_IPs5="xxx/23"
VPN_IPs6="xxx/23"

sleep 2

/sbin/ipfw -q -f flush

# NAT
/sbin/ipfw -q nat 1 config if $TUN
/sbin/ipfw -q add nat 1 all from $LOCAL_IP to any out via $TUN
/sbin/ipfw -q add nat 1 all from any to any in via $TUN

# DNS Servers
/sbin/ipfw -q add allow log udp from $LOCAL_IP to $DNS1 dst-port 53 keep-state
/sbin/ipfw -q add allow log udp from $LOCAL_IP to $DNS2 dst-port 53 keep-state

# Local Loop
/sbin/ipfw -q add allow ip from $LOCAL_IP to $LOCAL_IP keep-state

# VPN Server
/sbin/ipfw -q add allow ip from $LOCAL_IP to $VPN_Server keep-state

# Allow local loop with known VPN IP Ranges
/sbin/ipfw -q add allow ip from 127.0.0.1 to any
/sbin/ipfw -q add allow ip from $VPN_IPs1 to any
/sbin/ipfw -q add allow ip from $VPN_IPs2 to any
/sbin/ipfw -q add allow ip from $VPN_IPs3 to any
/sbin/ipfw -q add allow ip from $VPN_IPs4 to any
/sbin/ipfw -q add allow ip from $VPN_IPs5 to any
/sbin/ipfw -q add allow ip from $VPN_IPs6 to any
/sbin/ipfw -q add allow ip from any to $VPN_IPs1
/sbin/ipfw -q add allow ip from any to $VPN_IPs2
/sbin/ipfw -q add allow ip from any to $VPN_IPs3
/sbin/ipfw -q add allow ip from any to $VPN_IPs4
/sbin/ipfw -q add allow ip from any to $VPN_IPs5
/sbin/ipfw -q add allow ip from any to $VPN_IPs6

# Deny everything else
/sbin/ipfw -q add deny ip from any to any

Your help is greatly appreciated!

 

[LeoSum]

Is this maybe easier to acchieve with PF? I don't have a preference as long as it works

 

[carl0]

Hi,

did you solve your problem?
I would like to achieve the exact same thing.

Best regards