PF OpenVPN: access to client subnet

I run into difficulties configuring OpenVPN server and client.
Here is my setup:
OpenVPN server on FreeBSD 12
server.conf
Code:
port 1194                                  
proto tcp                                   
dev tun                                      
                                                   
ca ca.crt                                    
cert server.crt                           
key server.key  # This file should be kept secret                    
dh dh2048.pem                                                                         
topology subnet                                                                        
server 10.8.0.0 255.255.255.0                                                 
#########                                                                                
#for internet on clients:                                                            
#also check pf rules                                                                  
#push "dhcp-option DNS 208.67.222.222"                           
#push "dhcp-option DNS 208.67.220.220"                           
#push "redirect-gateway def1 bypass-dhcp"                        
#########                                                                                     
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
cipher AES-256-CBC
auth SHA1
;compress lz4-v2
;push "compress lz4-v2"
;comp-lzo
max-clients 10
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log


verb 6
#explicit-exit-notify 1

OpenVPN client is Mikrotik router. It also have local network 192.168.1.0/24.
As result tunnel established successfully, server with tunnel interface tun0 and address 10.8.0.1.
Client router get address 10.8.0.2. Server can ping router (10.8.0.1<-->10.8.0.2) and router and clients in 192.168.1.0/24 can ping server with address 10.8.0.1.

But server can't reach clients in 192.168.1.0/24 e.g. ping 192.168.1.1 not working!

I'm not sure 100% that is server problem (route or firewall configuration). But that is easiest part that I can check. Maybe I miss some nat rule with pf? Or wrong routes on server?

Also on server were added route route add -net 192.168.1.0/24 10.8.0.2
And pf.conf on server:
Code:
ext_if=vmx0
int_if=lo0
tcp_services = "{rdp, smtp, domain, www, auth, snmp, 5432, openvpn}"
udp_services = "{domain, ntp, snmp}"

vpn_if=tun0
vpn_net="10.8.0.0/24"

table <bruteforce> persist

set loginterface $ext_if
set block-policy return
set skip on $int_if

scrub in all

#OpenVPN rules
#nat for openvpn clients internet
#nat on ! $vpn_if from $vpn_net to any -> $ext_if
#nat on $vpn_if from localhost to "192.168.1.0/24" -> $vpn_if
pass quick on $vpn_if

antispoof quick for $ext_if inet
antispoof for $int_if

#filtering rules
block in all
block in quick inet6 all
block log quick from <bruteforce> to any
...

I will be grateful for any help
 
The tun0 interface doesn't exist when OpenVPN is not active. This could cause errors with PF. You can solve this, at least partially, by using the up and down script options in OpenVPN. With those you can dynamically add/remove rules and/or reload PF.

Also make sure the host has gateway_enable or it will not route between networks at all (a firewall is not a router, many people seem to misunderstand this, routing is done by the host, not the firewall). And your number one tool to diagnose issues like this is tcpdump(1). Seeing the actual network packets is invaluable as an information source, that way you don't have to guess what's happening with packets traveling from one node to another.
 
I have gateway_enable="YES" in rc.conf and net.inet.ip.forwarding=1 in sysctl.conf.
Also I'm sure that OpenVPN server running when I edit pf rules. If I restart OpenVPN server I'm alse disable/enable pf.

With tcpdump on server ( tcpdump -i tun0 icmp) when ping client router( ping 192.168.1.1) I got this:
Code:
07:04:01.890262 IP 10.8.0.1 > 192.168.1.1: ICMP echo request, id 2890, seq 0, length 64
07:04:02.905927 IP 10.8.0.1 > 192.168.1.1: ICMP echo request, id 2890, seq 1, length 64
...
only requests, no response

If I ping client router with 10.8.0.2 ( ping 192.168.1.1):
Code:
07:07:39.907929 IP 10.8.0.1 > 10.8.0.2: ICMP echo request, id 5450, seq 0, length 64
07:07:39.994939 IP 10.8.0.2 > 10.8.0.1: ICMP echo reply, id 5450, seq 0, length 64
07:07:40.925059 IP 10.8.0.1 > 10.8.0.2: ICMP echo request, id 5450, seq 1, length 64
07:07:41.011359 IP 10.8.0.2 > 10.8.0.1: ICMP echo reply, id 5450, seq 1, length 64
...
 
I have gateway_enable="YES" in rc.conf and net.inet.ip.forwarding=1 in sysctl.conf.
You can remove the setting from sysctl.conf, gateway_enable already takes care of this.

With tcpdump on server ( tcpdump -i tun0 icmp) when ping client router( ping 192.168.1.1) I got this:
Ok, that means you are actually putting the right packets "on the wire" as they say. Look at the other end of the tunnel, I'm guessing the client just doesn't know where to route the return traffic to.
 
Thank you for pointing out this part of documentation. I totally missed this part, my fault.
Glad to help. And don't feel bad, OpenVPN is definitely not the easiest thing to setup.
I only knew about that, because I've just spent an entire evening reading OpenVPN docs to set it up myself 😁
 
Back
Top