OpenVPN question(s)

Hello everybody;

I done finally went FreeBSD-VPN crazy (attention to every tiny detail) during the past few weeks, and I have complete faith that VPN on FreeBSD with proper PF rules will never leak (), and I will post the ultimate how-to after I fire it up to see if what I done is truly 51/50 (151%) insanely secure. I don't want to get beyond my own believes, so I hope that you will be the judge.


My first vpn question is …
How to change a /etc/service port?

Example:
Code:
openvpn      1194/tcp
openvpn      1194/udp
To:
Code:
openvpn      443/tcp
openvpn      443/udp
… or what ever.
 
Hello everybody;

I done finally went FreeBSD-VPN crazy (attention to every tiny detail) during the past few weeks, and I have complete faith that VPN on FreeBSD with proper PF rules will never leak (), and I will post the ultimate how-to after I fire it up to see if what I done is truly 51/50 (151%) insanely secure. I don't want to get beyond my own believes, so I hope that you will be the judge.


My first vpn question is …
How to change a /etc/service port?

Example:
Code:
openvpn      1194/tcp
openvpn      1194/udp
To:
Code:
openvpn      443/tcp
openvpn      443/udp
… or what ever.

You should not touch /etc/services file. Both client and OpenVPN server are configured by editing /usr/local/etc/openvpn/openvpn.conf file. Just change

Code:
proto udp
remote your-openvpn-server-name-or-ip 1194

to appropriate protocol you want to use and appropriate port. Adjust pf.conf accordingly.

P.S. I am not looking forward for your ultimate VPN howto. This is exact reason why people should not trust any howto they find on the Internet. They are usually written by people like yourself who are not exactly sure what they are doing. People who know what they are doing wrote whole book(s) on the subject. OpenVPN is actually rather well documented including the textbooks. Also changing VPN port to 443 to bypass corporate firewall should be done with specialzed proxy server.
 
You should not touch /etc/services file. Both client and OpenVPN server are configured by editing /usr/local/etc/openvpn/openvpn.conf file. Just change

Code:
proto udp
remote your-openvpn-server-name-or-ip 1194

to appropriate protocol you want to use and appropriate port. Adjust pf.conf accordingly.

P.S. I am not looking forward for your ultimate VPN howto. This is exact reason why people should not trust any howto they find on the Internet. They are usually written by people like yourself who are not exactly sure what they are doing. People who know what they are doing wrote whole book(s) on the subject. OpenVPN is actually rather well documented including the textbooks. Also changing VPN port to 443 to bypass corporate firewall should be done with specialzed proxy server.

Thanks a zillion Oko,

I think this will do it for me; but why are there near to nothing on the web about a vpn-client on FreeBSD, but there are hundreds of how-to for each and every Linux. All I’m going to do is include the missing pieces … something like what you just done for me :) Those extra vital tips you just provided may only be in one text book or paper out of thousands for pure FreeBSD.

Other than your reply, these are the best and only I found on the web that made since of vpn-client on FreeBSD to me. You will find that nearly everything else is mostly guessing without a solution, or difficult to understand, (client-wise).

https://forums.freebsd.org/threads/20893/

http://networkfilter.blogspot.com/2014/08/defend-your-network-and-privacy-vpn.html

Even VPN provider’s forums staff don’t have all the answers when it comes to a client on FreeBSD.

https://airvpn.org/topic/15593-adding-port-1194-to-the-available-ports/

I’ll be pushing all the right buttons by midnight, I hope. Why risk it?


Thanks again Oko@
 
Sorry people about the question and the promise I made. With time, I seldom fail to find a hack for any technical issue but I’m throwing in the towel on this one. Even the VPN provides don’t have a clue. I saw FreeBSD running ALL of that VPN provider client-code just as perfect as my Windows-XP VM. The only plus was XP and it most famous firewall of that day proved to be more secure than I thought. I matched things up all day and night so that I knew there was true progress.. but the provider IP was stuck in pftop so that made me try even harder since I know I’m halfway there. But just like many others since 2010 after all of my trial and error, I could not move forward. I don’t hold a degree, I'm mostly lucky, I threw the kitchen sink at it. The only thing I didn't do was to build a jail for it because I got worn-out and piss-off .. realizing I have better things to do with FreeBSD anyway, so I’m cashing out.

. . and it’s time to plan for the new year.

Happy Holidays guys.

That's what it was, I just want to do everything with FreeBSD!

FreeBSD vpn-client result:

EDIT: I posted the wrong output.
 
tap interface is Windows specific. Please post you entire server and client configuration files. I have two OpenVPN servers for my research group running of OpenBSD with up time 4 years minus 10 minutes upgrade every six months. In my experience configuring OpenVPN client on Windows is far more complicated than on UNIX
 
tap interface is Windows specific. Please post you entire server and client configuration files. I have two OpenVPN servers for my research group running of OpenBSD with up time 4 years minus 10 minutes upgrade every six months. In my experience configuring OpenVPN client on Windows is far more complicated than on UNIX
Code:
# --------------------------------------------------------
# Air VPN | https://airvpn.org | Friday 2nd of December 2016 06:35:50 PM
# OpenVPN Client Configuration.
# AirVPN_US-Pennsylvania_Metallah_TCP-443
# --------------------------------------------------------

client
dev tun
proto tcp
remote 104.243.24.235 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
verb 3
ca "ca.crt"
cert "user.crt"
key "user.key"
tls-auth "ta.key" 1
ca "/usr/local/etc/openvpn/Pennsylvania/Metallah/direct-tcp/ca.crt"
cert "/usr/local/etc/openvpn/Pennsylvania/Metallah/direct-tcp/user.crt"
key "/usr/local/etc/openvpn/Pennsylvania/Metallah/direct-tcp/user.key"
tls-auth "/usr/local/etc/openvpn/Pennsylvania/Metallah/direct-tcp/ta.key" 1

Code:
root@m22:~ # openvpn --config /usr/local/etc/openvpn/Pennsylvania/Metallah/direct-tcp/airvpn.ovpn

Sun Dec  4 11:05:45 2016 OpenVPN 2.3.11 amd64-portbld-freebsd11.0 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Nov 30 2016
Sun Dec  4 11:05:45 2016 library versions: OpenSSL 1.0.2h  3 May 2016, LZO 2.09
Sun Dec  4 11:05:45 2016 WARNING: file '/usr/local/etc/openvpn/Pennsylvania/Metallah/direct-tcp/user.key' is group or others accessible
Sun Dec  4 11:05:45 2016 WARNING: file '/usr/local/etc/openvpn/Pennsylvania/Metallah/direct-tcp/ta.key' is group or others accessible
Sun Dec  4 11:05:45 2016 Control Channel Authentication: using '/usr/local/etc/openvpn/Pennsylvania/Metallah/direct-tcp/ta.key' as a OpenVPN static key file
Sun Dec  4 11:05:45 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec  4 11:05:45 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec  4 11:05:45 2016 Socket Buffers: R=[65536->65536] S=[32768->32768]
Sun Dec  4 11:05:45 2016 Attempting to establish TCP connection with [AF_INET]104.243.24.235:443 [nonblock]
Sun Dec  4 11:05:46 2016 TCP connection established with [AF_INET]104.243.24.235:443
Sun Dec  4 11:05:46 2016 TCPv4_CLIENT link local: [undef]
Sun Dec  4 11:05:46 2016 TCPv4_CLIENT link remote: [AF_INET]104.243.24.235:443
Sun Dec  4 11:05:46 2016 TLS: Initial packet from [AF_INET]104.243.24.235:443, sid=96f28bf9 c30435ff
Sun Dec  4 11:05:46 2016 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Sun Dec  4 11:05:46 2016 Validating certificate key usage
Sun Dec  4 11:05:46 2016 ++ Certificate has key usage  00a0, expects 00a0
Sun Dec  4 11:05:46 2016 VERIFY KU OK
Sun Dec  4 11:05:46 2016 Validating certificate extended key usage
Sun Dec  4 11:05:46 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Dec  4 11:05:46 2016 VERIFY EKU OK
Sun Dec  4 11:05:46 2016 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
Sun Dec  4 11:05:47 2016 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Dec  4 11:05:47 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec  4 11:05:47 2016 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Dec  4 11:05:47 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec  4 11:05:47 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Sun Dec  4 11:05:47 2016 [server] Peer Connection Initiated with [AF_INET]104.243.24.235:443
Sun Dec  4 11:05:50 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun Dec  4 11:05:50 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.5.0.1,comp-lzo no,route-gateway 10.5.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.5.4.121 255.255.0.0'
Sun Dec  4 11:05:50 2016 OPTIONS IMPORT: timers and/or timeouts modified
Sun Dec  4 11:05:50 2016 OPTIONS IMPORT: LZO parms modified
Sun Dec  4 11:05:50 2016 OPTIONS IMPORT: --ifconfig/up options modified
Sun Dec  4 11:05:50 2016 OPTIONS IMPORT: route options modified
Sun Dec  4 11:05:50 2016 OPTIONS IMPORT: route-related options modified
Sun Dec  4 11:05:50 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Dec  4 11:05:50 2016 ROUTE_GATEWAY 192.168.0.1
Sun Dec  4 11:05:50 2016 TUN/TAP device /dev/tun1 opened
Sun Dec  4 11:05:50 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Dec  4 11:05:50 2016 /sbin/ifconfig tun1 10.5.4.121 10.5.0.1 mtu 1500 netmask 255.255.0.0 up
Sun Dec  4 11:05:50 2016 /sbin/route add -net 10.5.0.0 10.5.4.121 255.255.0.0
add net 10.5.0.0: gateway 10.5.4.121 fib 0: route already in table
Sun Dec  4 11:05:50 2016 ERROR: FreeBSD route add command failed: external program exited with error status: 1
Sun Dec  4 11:05:50 2016 /sbin/route add -net 104.243.24.235 192.168.0.1 255.255.255.255
add net 104.243.24.235: gateway 192.168.0.1 fib 0: route already in table
Sun Dec  4 11:05:50 2016 ERROR: FreeBSD route add command failed: external program exited with error status: 1
Sun Dec  4 11:05:50 2016 /sbin/route add -net 0.0.0.0 10.5.0.1 128.0.0.0
add net 0.0.0.0: gateway 10.5.0.1 fib 0: route already in table
Sun Dec  4 11:05:50 2016 ERROR: FreeBSD route add command failed: external program exited with error status: 1
Sun Dec  4 11:05:50 2016 /sbin/route add -net 128.0.0.0 10.5.0.1 128.0.0.0
add net 128.0.0.0: gateway 10.5.0.1 fib 0: route already in table
Sun Dec  4 11:05:50 2016 ERROR: FreeBSD route add command failed: external program exited with error status: 1
Sun Dec  4 11:05:50 2016 Initialization Sequence Completed
Sun Dec  4 11:05:55 2016 Connection reset, restarting [0]
Sun Dec  4 11:05:55 2016 SIGUSR1[soft,connection-reset] received, process restarting
Sun Dec  4 11:05:55 2016 Restart pause, 5 second(s)
Sun Dec  4 11:06:00 2016 Socket Buffers: R=[65536->65536] S=[32768->32768]
Sun Dec  4 11:06:00 2016 Attempting to establish TCP connection with [AF_INET]104.243.24.235:443 [nonblock]
Sun Dec  4 11:06:01 2016 TCP connection established with [AF_INET]104.243.24.235:443
Sun Dec  4 11:06:01 2016 TCPv4_CLIENT link local: [undef]
Sun Dec  4 11:06:01 2016 TCPv4_CLIENT link remote: [AF_INET]104.243.24.235:443
Sun Dec  4 11:06:01 2016 TLS: Initial packet from [AF_INET]104.243.24.235:443, sid=596249d3 ec7c3370
Sun Dec  4 11:06:02 2016 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Sun Dec  4 11:06:02 2016 Validating certificate key usage
Sun Dec  4 11:06:02 2016 ++ Certificate has key usage  00a0, expects 00a0
Sun Dec  4 11:06:02 2016 VERIFY KU OK
Sun Dec  4 11:06:02 2016 Validating certificate extended key usage
Sun Dec  4 11:06:02 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Dec  4 11:06:02 2016 VERIFY EKU OK
Sun Dec  4 11:06:02 2016 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
Sun Dec  4 11:06:02 2016 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Dec  4 11:06:02 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec  4 11:06:02 2016 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Dec  4 11:06:02 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec  4 11:06:02 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Sun Dec  4 11:06:02 2016 [server] Peer Connection Initiated with [AF_INET]104.243.24.235:443
Sun Dec  4 11:06:04 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun Dec  4 11:06:05 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.5.0.1,comp-lzo no,route-gateway 10.5.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.5.4.121 255.255.0.0'
Sun Dec  4 11:06:05 2016 OPTIONS IMPORT: timers and/or timeouts modified
Sun Dec  4 11:06:05 2016 OPTIONS IMPORT: LZO parms modified
Sun Dec  4 11:06:05 2016 OPTIONS IMPORT: --ifconfig/up options modified
Sun Dec  4 11:06:05 2016 OPTIONS IMPORT: route options modified
Sun Dec  4 11:06:05 2016 OPTIONS IMPORT: route-related options modified
Sun Dec  4 11:06:05 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Dec  4 11:06:05 2016 Preserving previous TUN/TAP instance: tun1
Sun Dec  4 11:06:05 2016 Initialization Sequence Completed
Sun Dec  4 11:06:10 2016 Connection reset, restarting [0]
Sun Dec  4 11:06:10 2016 SIGUSR1[soft,connection-reset] received, process restarting
Sun Dec  4 11:06:10 2016 Restart pause, 5 second(s)
Sun Dec  4 11:06:15 2016 Socket Buffers: R=[65536->65536] S=[32768->32768]
Sun Dec  4 11:06:15 2016 Attempting to establish TCP connection with [AF_INET]104.243.24.235:443 [nonblock]
Sun Dec  4 11:06:16 2016 TCP connection established with [AF_INET]104.243.24.235:443
Sun Dec  4 11:06:16 2016 TCPv4_CLIENT link local: [undef]
Sun Dec  4 11:06:16 2016 TCPv4_CLIENT link remote: [AF_INET]104.243.24.235:443
Sun Dec  4 11:06:16 2016 TLS: Initial packet from [AF_INET]104.243.24.235:443, sid=a6a7a62b 4fa72d94
Sun Dec  4 11:06:17 2016 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Sun Dec  4 11:06:17 2016 Validating certificate key usage
Sun Dec  4 11:06:17 2016 ++ Certificate has key usage  00a0, expects 00a0
Sun Dec  4 11:06:17 2016 VERIFY KU OK
Sun Dec  4 11:06:17 2016 Validating certificate extended key usage
Sun Dec  4 11:06:17 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Dec  4 11:06:17 2016 VERIFY EKU OK
Sun Dec  4 11:06:17 2016 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
Sun Dec  4 11:06:17 2016 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Dec  4 11:06:17 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec  4 11:06:17 2016 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Dec  4 11:06:17 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec  4 11:06:17 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Sun Dec  4 11:06:17 2016 [server] Peer Connection Initiated with [AF_INET]104.243.24.235:443
Sun Dec  4 11:06:19 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun Dec  4 11:06:20 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.5.0.1,comp-lzo no,route-gateway 10.5.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.5.4.121 255.255.0.0'
Sun Dec  4 11:06:20 2016 OPTIONS IMPORT: timers and/or timeouts modified
Sun Dec  4 11:06:20 2016 OPTIONS IMPORT: LZO parms modified
Sun Dec  4 11:06:20 2016 OPTIONS IMPORT: --ifconfig/up options modified
Sun Dec  4 11:06:20 2016 OPTIONS IMPORT: route options modified
Sun Dec  4 11:06:20 2016 OPTIONS IMPORT: route-related options modified
Sun Dec  4 11:06:20 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Dec  4 11:06:20 2016 Preserving previous TUN/TAP instance: tun1
Sun Dec  4 11:06:20 2016 Initialization Sequence Completed
Sun Dec  4 11:06:25 2016 Connection reset, restarting [0]
Sun Dec  4 11:06:25 2016 SIGUSR1[soft,connection-reset] received, process restarting
Sun Dec  4 11:06:25 2016 Restart pause, 5 second(s)
Sun Dec  4 11:06:30 2016 Socket Buffers: R=[65536->65536] S=[32768->32768]
Sun Dec  4 11:06:30 2016 Attempting to establish TCP connection with [AF_INET]104.243.24.235:443 [nonblock]
Sun Dec  4 11:06:31 2016 TCP connection established with [AF_INET]104.243.24.235:443
Sun Dec  4 11:06:31 2016 TCPv4_CLIENT link local: [undef]
Sun Dec  4 11:06:31 2016 TCPv4_CLIENT link remote: [AF_INET]104.243.24.235:443
Sun Dec  4 11:06:31 2016 TLS: Initial packet from [AF_INET]104.243.24.235:443, sid=fae8e25c d6244e11
Sun Dec  4 11:06:32 2016 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Sun Dec  4 11:06:32 2016 Validating certificate key usage
Sun Dec  4 11:06:32 2016 ++ Certificate has key usage  00a0, expects 00a0
Sun Dec  4 11:06:32 2016 VERIFY KU OK
Sun Dec  4 11:06:32 2016 Validating certificate extended key usage
Sun Dec  4 11:06:32 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Dec  4 11:06:32 2016 VERIFY EKU OK
Sun Dec  4 11:06:32 2016 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
Sun Dec  4 11:06:32 2016 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Dec  4 11:06:32 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec  4 11:06:32 2016 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Dec  4 11:06:32 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec  4 11:06:32 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Sun Dec  4 11:06:32 2016 [server] Peer Connection Initiated with [AF_INET]104.243.24.235:443
Sun Dec  4 11:06:35 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun Dec  4 11:06:35 2016 AUTH: Received control message: AUTH_FAILED
Sun Dec  4 11:06:35 2016 /sbin/route delete -net 104.243.24.235 192.168.0.1 255.255.255.255

route: route has not been found
delete net 104.243.24.235: gateway 192.168.0.1 fib 0: not in table
Sun Dec  4 11:06:35 2016 ERROR: FreeBSD route delete command failed: external program exited with error status: 1
Sun Dec  4 11:06:35 2016 /sbin/route delete -net 0.0.0.0 10.5.0.1 128.0.0.0
route: route has not been found
delete net 0.0.0.0: gateway 10.5.0.1 fib 0: not in table
Sun Dec  4 11:06:35 2016 ERROR: FreeBSD route delete command failed: external program exited with error status: 1
Sun Dec  4 11:06:35 2016 /sbin/route delete -net 128.0.0.0 10.5.0.1 128.0.0.0
route: route has not been found
delete net 128.0.0.0: gateway 10.5.0.1 fib 0: not in table
Sun Dec  4 11:06:35 2016 ERROR: FreeBSD route delete command failed: external program exited with error status: 1
Sun Dec  4 11:06:35 2016 Closing TUN/TAP interface
Sun Dec  4 11:06:35 2016 /sbin/ifconfig tun1 destroy
Sun Dec  4 11:06:35 2016 SIGTERM[soft,auth-failure] received, process exiting
root@m22:~ #
 
Thanks Oko, I can't blow it now. Here are

More details:

This is a FreeBSD-11.0.vdi guest running on FreeBSD-11.0p2 host.


This machine is totally standalone! Only the guest(s) has INTERNET connectivity and this particular one job is to ONLY make a permanent connection to my favorite/future data-center. It was said by an knowledgeable member here, or there, that *once you do that, simply never ever disconnect, if possible. Therefore, for this VM I plan to follow that advice to the tee, then I’ll worry about it afterward. The only security flaw is that the host vbox is not in jail.


Here are some other .conf and output files that may be relevant:


#########################################

#########################################


PACKET FILTER:

I’m hacking this for vpn-client from providers. Not my own server. I don’t know what is out of place. This is incomplete work. Also this should be for only ONE Ethernet card.

Code:
lan="em0"

egress="em1"

lan_ip="10.0.0.1"                               # inside rc.conf

egress_ip="192.168.0.4" #  192.168.0.6

gateway="192.168.0.1"   #  192.168.0.6

vpn="tun0"


table <sshguard> persist

# Global Policy

set block-policy drop

set loginterface $egress

set skip on lo

scrub all no-df max-mss 1440 random-id reassemble tcp


# NAT and RDR rules :

# 1 - only NAT thru VPN connection. If VPN is down, there is no Internet access for the LAN.

# 2 - catch DNS leaks from the LAN to the Internet and redirect them to our router

nat on $vpn from ($lan:network) to any -> ($vpn:0)

rdr on $lan proto { tcp udp } from $lan:network to ! $lan_ip port 53 -> $lan_ip


scrub out on $egress proto udp from $egress_ip to any port 443 set-tos lowdelay

# ....................

# ....................

# or use some of this:


# nat on $ext_if inet from $vpnclients to any -> $ext_if


# rdr on $ext_if proto { tcp udp } from $vpnclients to ! $vpnclients port 53 -> $vpnclients

# nat on $ext_if from !($ext_if) to any -> ($ext_if)

# nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)             # do it all!

# nat on em0 from 10.0.0.1 to any -> (em0)                             # maybe best choice




# Default deny and log all

#block log all

# ..................................

# ..................................

block drop in quick inet6

block in all

block out all

block in quick on $lan proto tcp from <sshguard> to any label "ssh bruteforce" # sirdice

# ..................................

# ..................................


# Antispoof

antispoof log quick for ($egress)

block in quick log on $egress from { no-route urpf-failed } to any

block out quick log on $egress from any to no-route


# Block IPV6

block quick inet6 all


# Prevent VPN bypass

block out quick log on $egress from ($lan:network) to any


# Drop outbound DNS requests (53), as we use DNSCrypt

block out quick log on $egress proto { tcp udp } from any to any port 53


# Standard rules

pass out quick inet modulate state

pass in quick on $lan


My complete rc.conf for this VM:
most of it is not needed for this VM ... Please review.
Code:
dumpdev="NO"

hostname="m22.example.vlocal"

ifconfig_em0="DHCP"

ip6addrctl_enable="NO"

ip6addrctl_policy="ipv4_prefer"

ipv6_activate_all_interfaces="NO"

auto_linklocal="NO"

##network_interfaces=""

gateway_enable="YES"    # NO IS TO BE USED


ifconfig_em0_alias1="inet 10.0.0.1 netmask 255.255.255.0 broadcast 10.0.0.255" # FAMP


sendmail_enable="NONE"

sendmail_submit_enable="NO"

sendmail_outbound_enable="NO"

sendmail_msp_queue_enable="NO"


tcp_drop_synfin="YES"         # prevents OS fingerprinting.  2 related opt are:

icmp_drop_redirect="YES"      # ICMP Redirect messages can be used by attackers                             # to redirect traffic and should be ignored.

                        # This helps prevents DOS attack.


icmp_log_redirect="NO"        # can fill up var dir.  We Don't have to use it.


inetd_enable="NO"       # Internet Super Server allows finger, ftp ssh,

                        # and telnetd, etc. It increase system exposure.


rpcbind_enable="NO"           # NFS # shared files between Unix computers..NO!

mountd_enable="NO"

mountd_flags=""

#nfs_server_enable="NO"

#nfs_client_enable="NO"

#nfs_reserved_port_only="YES"

#rpcbind_statd_enable="NO"

#rpcbind_lockd_enable="NO"


sshd_enable="YES"       # SSHD is a family of applications that can used

                        # with network connectivity tools.

                        # This disables rlogin, RSH, RCP and telenet.


sshguard_enable="YES"         #  YES ..  run sshguard


                        # Disable if not running Network File Systems.

portmap_enable="NO"           # It share files between computers..NO!


update_motd="NO"        # No details added to /etc/motd on system reboot.


clear_tmp_enable="NO"

clean_tmp_X="NO"

fsck_y_enable="YES"


accounting_enable="NO"        # This will enable system accounting. DO IT LATTER

                        # sa gives # of user, lastcomm, CPU, I/O issued



                        # port 514 you will not receive logging messages

syslogd_enable="YES"          # if NO, so say YES after jails have been intalled.


syslogd_flags="-ss"           #  Ensure syslogd don't bind to a network socket

                        #  if you are not logging into a remote machine.


                        #  Prevent syslog to open sockets

                        #  no writing syslogs to remote devices

                        #  by default.  No network socket will be

                        #  opened at all!!!, including logging

                        #  to my own remote server.


                        # other servers same problem, such as sshd,

                        # nfsd, named, sendmail, syslogd, and portmap.


#syslogd_flags="-s -c"        # for denyhosts tp notices multiple

                        # repeated login attempts


                        # Inetd listen only on the host's IP address,

                        # not the Jail's. Untrusted Jailed could type

                        # "ssh -l root localhost" that would lead to the

                        #  hostand not the jail.  Again, remember to

                        #  specify the IP address on which you want

                        #  your services on the host comp to listen.

                        #  TURN ON AFTER JAIL HAS BEEN INSTALLED.


#inetd_flags="-wW -a w101.host.local"                     # for jails


#  ****************************************************************

#  ****************************************************************

#  moused_port="/dev/psm0"

moused_type="auto"

moused_enable="YES"

#  allscreens_flags="-m on"

#  moused_flags="-m 2=3"                #  Cause no select

#### vidcontrol -h 6500

#  usbd_enable="YES"                    #  Open too many


snddetect_enable="YES"

mixer_enable="YES"


#  ****************************************************************

#  ****************************************************************

#  ****************************************************************

#  ****************************************************************

#  ****************************************************************

pf_enable="YES"

pf_rules="/etc/pf.conf"

pf_flags=""

pflog_enable="YES"

pflog_logfile="/var/log/pf.log"

pflog_program="/sbin/pflogd"

pflog_flags=""

#  **********************************************************************************

#  **********************************************************************************

                                        #  comes all 'working out of the box'.

                                        #  By default this port is using OpenDNS'

                                        #  resolvers, other services are possible.

                                        #  run: /usr/local/sbin/dnscrypt-proxy --help

#dnscrypt_proxy_enable="YES"

#dnscrypt_proxy_flags="-a 127.0.0.2"

# or

#dnscrypt_proxy_enable="YES"

#dnscrypt_proxy_resolver="dnscrypt.eu-nl" # Logless Netherland DNS server

#dnscrypt_proxy_flags='-a 127.0.0.1:40'

#local_unbound_enable="YES"

#  **********************************************************************************

#  **********************************************************************************




# ...............................

# ................... rcd order .

# ...............................

#https://forums.freebsd.org/threads/57104/

#mysql_enable="YES"

#mysql_dbdir="/data/mysql"

#mysql_optfile="/usr/local/etc/my.cnf"


avahi_enable="NO"

dbus_enable="NO"


dhcpd_enable="NO"       # isc-dhcpd and isc-dhcpd6

dnscrypt_enable="NO"


ffserver_enable="NO"

hald_enable="NO"        # for VirtualBox DVD/CD functions to work,


mdnsd_enable="NO"

mdnsresponderposix_enable="NO"


openntpd_enable="NO"

openssl_enable="NO"


slim_enable="NO"


softether_bridge_enable="NO"

softether_client_enable="NO"

softether_server_enable="NO"


stunnel_enable="NO"


svnserve_enable="NO"

tcsd_enable="NO"

uuidd_enable="NO"


vboxguest_enable="YES"

vboxservice_enable="YES"



# POSTFIX

postconf compatibility_level=2

postfix_enable="NO"


# DHCP

# dhcpd_enable="YES"

# dhcpd_flags="-q"

# dhcpd_conf="/usr/local/etc/dhcpd.conf"

# dhcpd_ifaces="em0"

# dhcpd_withumask="022"

# dhcpd_chuser_enable="YES"

# dhcpd_withuser="dhcpd"

# dhcpd_withgroup="dhcpd"

# dhcpd_chroot_enable="YES"

# dhcpd_devfs_enable="YES"

# dhcpd_rootdir="/usr/chroot/dhcpd"


openvpn_enable="YES"

openvpn_configfile="/usr/local/etc/openvpn/Pennsylvania/Metallah/direct-tcp/airvpn.ovpn"

openvpn_if="tun"

openvpn_if="tap"



Also pftop is now not working. I must have screwed stuff up last night during my madness… Now I got to take it from the top with backup on another HDD because I deleted the ones on this machine because I thought I had the ultimate setup near ready for backup. Dang! It proves, once again, you can never make your move too soon.


If anything else is needed, I’ll post it after recovery. I found some commands concerning routing, but now it may be off-centered. Give me a few hours.
 
I got tired with your posts as well. This is fully functional client configuration file which
Code:
client
dev tun
proto udp

# The hostname/IP and port of the server.
remote my-vpn-server 1194

resolv-retry infinite
;nobind

# Downgrade privileges after initialization (non-Windows only)
user openvpn
group openvpn

# Try to preserve some state across restarts.
;persist-key
persist-tun
;mute-replay-warnings

# SSL/TLS parms.
ca /etc/openvpn/ca.crt
cert /etc/openvpn/lake.crt
key /etc/openvpn/private/lake.key

;ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth /etc/openvpn/private/ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-256-CBC

# Enable compression on the VPN link.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20


Looking at your output looks like your FreeBSD client has problem adding the route. Are you running that client in Jail on the virtual host by any chance or on the real physical machine?
 
I got tired with your posts as well. This is fully functional client configuration file which
Code:
client
dev tun
proto udp

# The hostname/IP and port of the server.
remote my-vpn-server 1194

resolv-retry infinite
;nobind

# Downgrade privileges after initialization (non-Windows only)
user openvpn
group openvpn

# Try to preserve some state across restarts.
;persist-key
persist-tun
;mute-replay-warnings

# SSL/TLS parms.
ca /etc/openvpn/ca.crt
cert /etc/openvpn/lake.crt
key /etc/openvpn/private/lake.key

;ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth /etc/openvpn/private/ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-256-CBC

# Enable compression on the VPN link.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20


Looking at your output looks like your FreeBSD client has problem adding the route. Are you running that client in Jail on the virtual host by any chance or on the real physical machine?

I’m still beating myself up. Whatever I did to get that far with only a few route errors, I have not been able to duplicate it yet. I had so many test copies that I deleted that most advance backup by accident. Now I get a bag full of errors for everything no matter what I do.

I am running a FreeBSD VM guest on FreeBSD-11.0 hosting Virtualbox. I don’t have any jail in this VM yet. I named the guest FreeBSD-vpn and it is running in bridge-mode so it has it own IP. I think I was just one more step away. I’ll continue after mental recovery with your file. I know the key is in there. I bet I or someone will get it right. It be worth it.

Thanks for your insight Oko
 
Back
Top