Routing traffic via OpenVPN

[tx1131]

Hi guys,

I've been trying to push all my desktop's traffic over VPN which I have on a remote FreeBSD server:

Desktop --- Internet --- FreeBSD with OpenVPN

I can connect to the VPN but my traffic is not redirected. I tried billions of PF combinations (this is probably where the issue is) with no luck. I currently have

push "redirect-gateway def1"

added to openvpn.conf and not sure of this but added something like this to pf.conf:

nat on $ext_if from $vpn_if to any -> EXT_IP

After adjusting some PF rules I can ping my LAN interface on the server (which is an alias on its external interface), but can't ping anything outside like 8.8.8.8. Any hints?

Thanks,
Konrad

 

[_martin]

Hi,

First - did you try your VPN configuration without PF? If needed for NAT/PAT, apply only those rules and default pass on any direction. Also verify that forwarding is on (IPv4):

# sysctl net.inet.ip.forwarding

net.inet.ip.forwarding: 1

 

[tx1131]

Hello,

I with PF and some basic rules which doesn't change anything. Also I can confirm that

net.inet.ip.forwarding: 1

Interesting thing I forgot to copy yesterday is this PF output:

00:00:00.954995 rule 3..16777216/0(match): pass in on tun0: 10.10.10.6 > 8.8.8.8: ICMP echo request, id 1, seq 9, length 40
00:00:00.000030 rule 5..16777216/0(match): pass out on re0: 10.10.10.6 > 8.8.8.8: ICMP echo request, id 1, seq 9, length 40

So basically if I understand correctly something is not being NATed out properly?

BTW: I was following THIS when setting the VPN up:


Thanks,
Konrad

 

[tx1131]

Hello,

Many thanks for your answer.

I wrote a long reply this morning with outputs pasted etc and unfortunately somehow it didn't get posted :\

I can confirm that

net.inet.ip.forwarding: 1

is in place and I also tried enabling only the basic rules and NAT and that didn't change anything. I am still able to ping internal interfaces but nothing outside.

I saw one thing however which I forgot to paste yesterday, which is output from tcpdump showing that PF is letting through my pings from VPN_IP to 8.8.8.8 where VPN_IP is ip of my desktop's vpn interface. Doesn't that mean that something is not being NATed properly?
My only NAT rule related to VPN is:

nat on $ext_if from $vpn_if to any -> EXT_IP

as mentioned before. So this means anything passed from the tun0 interface will be NATed, right? Perhaps I should change $vpn_if (which is alias for tun0) to vpn_network ?

Anyway, when I come back home this evening I can paste some outputs to make things more clear - although I hope the above is clear enough.

BTW: I used THIS while setting up VPN.

Thanks,
Konrad

 

[SirDice]

I wrote a long reply this morning with outputs pasted etc and unfortunately somehow it didn't get posted :\

Wait for a moderator to release your post.

 

[tx1131]

Yes, seems like I should have I used to use this forum some time ago and don't recall this feature.

 

[tx1131]

Ok, resolved.

The main issue was what I wrote earlier:

My only NAT rule related to VPN is:

nat on $ext_if from $vpn_if to any -> EXT_IP

as mentioned before. So this means anything passed from the tun0 interface will be NATed, right? Perhaps I should change $vpn_if (which is alias for tun0) to vpn_network ?

Changed this to vpn_network, adjusted PF slightly and everything works. Hope someone finds this useful.

Konrad

 

[kpa]

Yes of course, this is one of the common mistakes people make with pf(4). If you write

from $vpn_if

It literally means: Traffic initiated from the VPN interface itself meaning from the sole IP address bound to the interface. What people intend to write is

from $vpn_if:network

or the vpn_interface macro you used.

 

[japoc]

Changed this to vpn_network, adjusted PF slightly and everything works. Hope someone finds this useful.

VERY useful.

Yes of course, this is one of the common mistakes people make with pf(4). If you write

from $vpn_if

It literally means: Traffic initiated from the VPN interface itself meaning from the sole IP address bound to the interface. What people intend to write is

from $vpn_if:network

or the vpn_interface macro you used.

Thanks for this clarification. This was VERY useful.