Openvpn up and down scripts for split tunnel and pf

[NapoleonWils0n]

Hi All

Im a linux user making the switch to freebsd,
got everything set up except for one last thing

Im trying to set up a split route with openvpn and the pf firewall
I did read the freebsd manual and a couple of books about pf and googled before posting

I have linux up and down scripts for openvpn to add create a split route,
so im just trying to work out the equivilant freebsd commands

* first i create a routing table called tunnel on linux with this command

sudo echo 200 tunnel >> /etc/iproute2/rt_tables

* i think this would be the equivialnt freebsd command to create routing table called tunnel

sudo pfctl -t tunnel

i start openvpn with the following command with up and down scripts

sudo openvpn --auth-nocache --route-nopull --script-security 2 --up /home/username/bin/openvpn-up --down /home/username/bin/openvpn-down --config openvpn.ovpn

* openvpn linux up script

#!/usr/bin/env bash

# openvpn-up.sh

# create vpn route
ip rule add from "$ifconfig_local" table tunnel
ip route add table tunnel default via "$ifconfig_remote" 
ip route add table tunnel "$ifconfig_remote" via "$ifconfig_local" dev "$dev"

* openvpn linux down script

#!/usr/bin/env bash

# openvpn-down

# delete vpn route
ip rule delete from "$ifconfig_local" table tunnel
ip route flush table tunnel

* pf config

# network interface
int_if="{ bge0 }" # thunderbolt to ethernet adaptor
vpn_if="tun0" # vpn interface

# local network
localnet="$int_if:network"

# bogon networks
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16     \
          172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
          192.168.0.0/16 198.18.0.0/15 198.51.100.0/24        \
          203.0.113.0/24 }

# Macros to define the set of TCP and UDP ports to open.
# Add additional ports or ranges separated by commas.
# 6881, 6882 = rtorrent. 22000, 21025 = syncthing
tcp_services = "{ ntp, 6881, 22000 }"
udp_services = "{ ntp, 6882, 21025 }"

# If you block all ICMP requests you will break things like path MTU
# discovery. These macros define allowed ICMP types. 
icmp_types = "{ echoreq, unreach }"

# Modulate the initial sequence number of TCP packets.
# Broken operating systems sometimes don't randomize this number,
# making it guessable.
tcp_state="flags S/SA keep state"
udp_state="keep state"

# Don't send rejections. Just drop.
set block-policy drop
set fingerprints "/etc/pf.os"

# scrub packets
scrub in all
scrub in all fragment reassemble no-df max-mss 1440

# block ipv6
block return out quick inet6 all
block in quick inet6 all

# block bogon networks
block in quick from { no-route urpf-failed } to any
block in quick from <martians> to any
block return out quick from any to <martians>
block in all

# antispoof
antispoof quick for lo0
antispoof quick for $int_if
antispoof quick for $vpn_if

# dont block localhost
set skip on lo0

# allow ICMP
pass inet proto icmp all icmp-type $icmp_types keep state 

# allow out bound traffic
pass out quick modulate state

# Allow the services defined in the macros at the top of the file
pass inet proto tcp from any to any port $tcp_services $tcp_state
pass inet proto udp from any to any port $udp_services $udp_state

# emerging threats - anchor
anchor "emerging-threats"
load anchor "emerging-threats" from "/etc/pf.anchors/emerging-threats"

# openvpn - anchor - maybe needed
#anchor "openvpn"
#load anchor "openvpn" from "/etc/pf.anchors/openvpn"

if anyone has the time to help a bsd noob make the switch from linux,
i just need a nudge in the right direction trying to figure out how to create up and down scripts for openvpn,
to create a split tunnel

any tips or feedback on pf.conf welcome

quick note on my set up

mac book 11 inch 2011, efi boot with full disk encryption
running freebsd 11 with i3wm window manager, unbound dns adblocking and pf with emerging threats

sorry in advance for any bsd or forum noob errors

 

[SirDice]

There's no reason to use a script to push routes. OpenVPN can take care of this:

push "route 172.17.20.0 255.255.255.0"
push "route 172.17.40.0 255.255.255.0"
push "route 172.17.60.0 255.255.255.0"
push "route 172.31.0.0 255.255.0.0"

And as far as I know the default settings already creates a split tunnel.

 

[NapoleonWils0n]

Hi SirDice

thanks for the reply, i have over 30 vpn config files and sometime i use a full vpn and other times a split vpn
so i cant edit the config files to add the routes

by default openvpn creates a full tunnel not a split route

i have found a way to create a split tunnel using setfib by doing the following

sudo vim /boot/loader.conf

and adding the following to the loader.conf

net.fibs=2

then rebooting

then i have to add the default route to my gateway to connect out

sudo setfib 1 route add default 192.168.1.1

then i start openvp in the 2nd routing table

sudo setfib 1 openvpn --config config.ovpn

after that i delete the default route to my lan gateway

sudo setfib delete default

then i can use setfib to start a program in the second routing table and send its traffic over the vpn like so

setfib 1 chrome &

so thats one way to do it,
i could write a little wrapper script around some of the commands

i suppose i could use some pf rules to selectively route traffic to the second routing table,
instead of starting the program with setfib

need to read up a bit more about routes and pf first