OpenVPN and PF

Hi everyone,

I have been trying to setup OpenVPN for weeks now and I am at a point where I'm a little confused why I can't ping a computer on the network. Here's my setup:

PC->internet-> FW -> OpenVPN with PF -> Linksys Router -> Network

Some Background Info
OpenVPN ExtNIC: 172.16.0.200
OpenVPN IntNIC: 192.168.20.200

Linksys Router network: 192.168.20.0/24
Linksys Internal Port 4 Connected To OpenVPN on IntNIC

Pf.conf for OPENVPN Box
ext_if="fxp0"
int_if="rl0"
vpn_if="tun0"

set skip on lo
scrub in

nat on $ext_if from !($ext_if) -> ($ext_if)

block in log

pass out keep state
pass quick on $int_if no state
pass in on $vpn_if keep state
pass in on $ext_if proto udp to ($ext_if) port 1194
pass out proto icmp keep state
pass in proto icmp keep state
pass in on $ext_if proto tcp to ($ext_if) port ssh

I can establish the VPN connection without any problems.
My tun0 interface is assigned an IP:

tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff

The 192.168.20.0\24 network gets pushed to my winblows box:
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.101 25
10.8.0.1 255.255.255.255 10.8.0.13 10.8.0.14 1
10.8.0.12 255.255.255.252 10.8.0.14 10.8.0.14 30
10.8.0.14 255.255.255.255 127.0.0.1 127.0.0.1 30
10.255.255.255 255.255.255.255 10.8.0.14 10.8.0.14 30
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.101 192.168.1.101 25
192.168.1.101 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.101 192.168.1.101 25
192.168.20.0 255.255.255.0 10.8.0.13 10.8.0.14 1
224.0.0.0 240.0.0.0 10.8.0.14 10.8.0.14 30
224.0.0.0 240.0.0.0 192.168.1.101 192.168.1.101 25
255.255.255.255 255.255.255.255 10.8.0.14 2 1
255.255.255.255 255.255.255.255 10.8.0.14 10.8.0.14 1
255.255.255.255 255.255.255.255 192.168.1.101 192.168.1.101 1
Default Gateway: 192.168.1.1

From Windows, I can ping the OpenVPN IntNIC and the IP of the Linksys Router (192.168.20.1). This is where I'm stumped. I can't ping my rdp server (192.168.20.101).

My OpenVPN can ping any address in the 192.168.20.0/24 net. I'm guessing I'm missing a rule or a static route somewhere but I just can't figure it out.

I'm sorry for this large posting and hoping someone can point out my mistake.

Sincerely,

Fatman
 
I figured it out with the help of logical thinking and tcpdump. With my connection established, I used ping -t [ip of rdp server] from my Windows box and used tcpdump to follow the traffic.

On tun0, I saw:
# tcpdump -n -i tun0 not port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type NULL (BSD loopback), capture size 96 bytes
10:49:53.800375 IP 10.8.0.14 > 192.168.20.101: ICMP echo request, id 1024, seq 8449, length 40

On rl0, I saw:
10:52:25.939253 IP 10.8.0.14 > 192.168.20.101: ICMP echo request, id 1024, seq 47361, length 40

This lead me to believe that I required a static route on the linksys router. I added 10.8.0.0/24 via 192.168.20.200 and voila, everything worked.

Now it's time for me to go over my pf rules and read up more about OpenVPN to understand the inner workings. I hope this was informative to some.

Later,

Fatman
 
Back
Top