PF Safely share tun0 with eth0 (pf rule/s)

quakerdoomer

quakerdoomer

❔ I am connecting to a VPN and have implemented some basic rules to avoid leaks.
I want to share the VPN-ized internet from my tun0 to my ethernet eth0 .
I don't wish for eth0 to provide DHCP and eth0 has a static IP 10.10.10.1

I can enable gateway by using gateway_enable in rc.conf and sysctl settings. I need to know what further lines do I need to add to my pf.conf so as to only safely share the Internet and disallow anything else from coming in eth0 .
The current configuration is given below:

Code: 
///////////// pf.conf /////////////

# 192.168.1.0 is the WiFi I get my Internet from.
block drop out inet from 192.168.1.0/16 to any

# Example VPN IP 104.197.53.83
pass out quick inet from 192.168.1.0/16 to 104.197.53.83 flags S/SA keep state

# WiFi Local network
pass out quick inet from 192.168.1.0/16 to 192.168.1.0/16 flags S/SA keep state

# Allow all on loopback (lo0)
pass out quick inet from 127.0.0.1 to any flags S/SA keep state

# Everything tunneled 10.6.0.x (VPN assigned internal Ip for tunnel tun0)
pass out quick inet from 10.6.0.0/8 to any flags S/SA keep state

///////////// End of pf.conf /////////////

Any ideas?❔
 
What exactly are you trying to accomplish? Are you wanting to route traffic originating on your eth0 interface over to your VPN on tun0 and then out to the Internet?
 
What I have now is:
Internet connected through WiFi (wlan0) --> OpenVPN (tun0) --> Usage


What I want is:
Internet connected through WiFi (wlan0) --> OpenVPN (tun0) --> Ethernet --> Usage

I am connected to a VPN, I wish to share it with the ethernet so that I can plug a cable in the eth port and use it on another system. I don't know if the existing pf rules to avoid vpn leaks are causing an issue or if I need to add anything further to those rules.
 
I am thinking that you want to route outbound traffic that is originating on the eth0 interface out to the Internet over the VPN connection on tun0 such that all Internet traffic appears to originate from the VPN's WAN IP address. If that is the case, here's how I would accomplish that:

  • Add marcos in your pf.conf file for the LAN and VPN interfaces:
    • lan_if = "eth0"
    • vpn_if = "tun0"
  • Add a marco for the VPN connection to be used as a gateway:
    • GW_VPN = "( tun0 10.6.0.1 )"
  • Add a NAT rule to send outbound traffic over the VPN connection:
    • nat on $vpn_if inet from $lan_if:network to any -> ($vpn_if)
  • Add a PF rule to allow outbound traffic from the firewall device itself out to the Internet:
    • pass out route-to $GW_VPN from ($vpn_if) to ! $vpn_if:network keep state allow-opts
  • Add a PF rule to route all traffic originating on the eth0 interface over the VPN connection:
    • pass in quick on $lan_if route-to $GW_VPN inet from $lan_if:network to any keep state

Once you have the routing working, you can start ratcheting-down firewall rules as you see fit, i.e. blocking WAN egress on the wlan0 interface using tags, etc.
 
Last edited:
I have come to realize that even with pf disabled, wlan0 isn't sharing the connection without the VPN. There seems to be an issue with the routing.
I'll fix that first.
I appreciate the commented ruleset you've shared and the explanation you gave as well. It will come handy once I fix the gateway issue. Many thanks!
 
You must log in or register to reply here.
Back
Top