Solved Pf - OpenVPN

Hi,

Anybody see any error in my pf.conf?

When connected to my OpenVPN iI cannot access internet.

Thanks in advance.

rc.conf
Code:
gateway_enable="YES"
pf_enable="YES"

pf.conf
Code:
my_int = "vtnet0"
internal_net = "192.168.0.0/16"
external_addr = "37.48.xx.xx"
nat on $my_int from $internal_net to any -> $external_addr
set skip on lo
block in log all
pass in on $my_int proto tcp from any to any port 22 keep state
pass in on $my_int proto tcp from any to any port 80 keep state
pass in on $my_int proto tcp from any to any port 1194 keep state
pass in on $my_int proto udp from any to any port 1194 keep state
pass in quick on $my_int proto icmp all keep state
pass in proto gre all keep state
pass in from any to $internal_net
pass in from $internal_net to any
pass out proto { gre, tcp, udp, icmp } all keep state
 
What is vtnet0? It looks like you were coping and pasting pf.conf from somewhere. That thing makes little sense. Please give the detailed description of your network topology and what you are trying to accomplish.
 
Solved. This did the trick.

Code:
# default openvpn settings for the client network
vpnclients = "10.8.0.0/24"
#put your wan interface here (it will almost certainly be different)
wanint = "vtnet0"
# put your tunnel interface here, it is usually tun0
vpnint = "tun0"
# OpenVPN by default runs on udp port 1194
udpopen = "{1194}"
icmptypes = "{echoreq, unreach}"

set skip on lo
# the essential line
nat on $wanint inet from $vpnclients to any -> $wanint

block in
pass in on $wanint proto udp from any to $wanint port $udpopen
pass in on $wanint proto tcp from any to any port 22 keep state
pass in on $wanint proto tcp from any to any port 80 keep state
pass in on $wanint proto tcp from any to any port 443 keep state
# the following two lines could be made stricter if you don't trust the clients
pass out quick
pass in on $vpnint from any to any
pass in inet proto icmp all icmp-type $icmptypes
 
Hi, would you mind posting a little more detail on your topology?
I have a pf setup that will not nat through a vpn/tun0, however I'm behind a second firewall that performs nat/pat to the single ISP address - allows all port traffic outbound though.
It looks like your nat statement is on the tun0 interface.. I wonder if I'm doing something wrong.
heres my config:
Code:
int_if="em0"
ext_if="em1"
vpn="tun0"
networks= "{ 192.168.1.0/24, 192.168.2.0/24, 192.168.6.0/24, 192.168.5.0/24 }"
vlan1="192.168.1.0/24"
heat="192.168.6.5"
table <vlan6> { 192.168.6.0/24, !192.168.6.1, !192.168.6.2, !192.168.6.3, !192.168.6.5 }

# Global Policy#
set block-policy return
set loginterface $ext_if
set skip on lo
set state-policy floating

#packet normalization
scrub log all no-df max-mss 1460 random-id reassemble tcp
scrub out log on $ext_if proto tcp from ($int_if:network) to any port { 443 80 } set-tos lowdelay
scrub out log on $ext_if proto udp from ($int_if:network) to any port 53 set-tos reliability

# NAT and RDR rules
nat log on $vpn from ($int_if:network) to any -> ($vpn:0)
rdr log on $int_if proto udp from <vlan6> to ! 192.168.6.2 port 53 -> 192.168.6.2 port 53
rdr log on $int_if proto udp from <vlan6> to ! 192.168.6.3 port 53 -> 192.168.6.3 port 53
rdr log on $int_if proto udp from <vlan6> to ! 192.168.6.3 port 123 -> 192.168.6.3 port 123

# Antispoof
antispoof log quick for { $int_if $ext_if } inet
block in log on { $int_if $ext_if } from { no-route urpf-failed } to any
#block out log quick on $ext_if from any to no-route

#blocking outbound
block out log on $ext_if flags any
block out log quick on $ext_if from radon to ! ($int_if:network) flags any

#internal network communication
pass quick on $ext_if from $networks to $networks flags any keep state

#domain controllers
pass out quick on $ext_if proto {tcp udp} from $dc to any port { 123 53 } flags any

#outbound
pass out quick on $ext_if proto {tcp udp} from ($int_if:network) to any port { 80 443 } flags any keep state
 
Back
Top