From owner-freebsd-pf@freebsd.org Sun Nov 3 21:00:14 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BDB481A281F for ; Sun, 3 Nov 2019 21:00:14 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 475pGk3Jq9z3Dfb for ; Sun, 3 Nov 2019 21:00:14 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: by mailman.nyi.freebsd.org (Postfix) id 6A5D71A2811; Sun, 3 Nov 2019 21:00:14 +0000 (UTC) Delivered-To: pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6A28A1A2810 for ; Sun, 3 Nov 2019 21:00:14 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 475pGj6cXZz3DfH for ; Sun, 3 Nov 2019 21:00:13 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C6B57198B8 for ; Sun, 3 Nov 2019 21:00:13 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id xA3L0D4a052747 for ; Sun, 3 Nov 2019 21:00:13 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id xA3L0D5F052746 for pf@FreeBSD.org; Sun, 3 Nov 2019 21:00:13 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <201911032100.xA3L0D5F052746@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: pf@FreeBSD.org Subject: Problem reports for pf@FreeBSD.org that need special attention Date: Sun, 3 Nov 2019 21:00:13 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Nov 2019 21:00:14 -0000 To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 203735 | Transparent interception of ipv6 with squid and p Open | 237973 | pf: implement egress keyword to simplify rules ac 2 problems total for which you should take action. From owner-freebsd-pf@freebsd.org Thu Nov 7 20:49:26 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9CF901786CA for ; Thu, 7 Nov 2019 20:49:26 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: from mail-vs1-xe29.google.com (mail-vs1-xe29.google.com [IPv6:2607:f8b0:4864:20::e29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 478FrP21Q9z4K0Y for ; Thu, 7 Nov 2019 20:49:25 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: by mail-vs1-xe29.google.com with SMTP id 190so2247402vss.8 for ; Thu, 07 Nov 2019 12:49:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=staub-us.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=lZUFHodRSwy/7lJvSQoYsOl9LTKJUnz9pUyM7SNsbA8=; b=FR2ejGzh0Jyi/G0MF+jfM4IR1H132+kCQ1JlyMCydJSWe0Q9t2+fhgjAtOHa83JTQz QjPbCebeP+sH+u5A/MjieV9diiX6EP3VyHNjnBdjcjoe4dXcl5sBcTjstV+FVQGTVjnE AlXRT3BDnqrsN3X0+yXMWHlCOJbgrf0EPZ2z+bJZsvaumORQJD+wj7w2DQ8e1JP+Mv2z DAY/4p2I3ROCa/qT9v9yn3YpQYAOUjghiESYlljlclLrsVO2bRhzTz00Au/IKQHXVKzJ ubs4hbM4NAbN9fJyh0kEbt4b6xkJifq0Uz/p2Ekhxwg3PpAydazBqPmhQFUhFQVK5gjL TH1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=lZUFHodRSwy/7lJvSQoYsOl9LTKJUnz9pUyM7SNsbA8=; b=nCqAgWJl7DuFHpyZ4T9svduN+Ujvv5WeJg6hhGR/I3nExet90vXdnOmvJEHaMWoMoc wegTsfwLKCqJ3dTM5kJ8otls8SPg61URLpbsvPRlYfJh5f4IXQVayGF6Ydls18WqxyBM +ViNaj3hM4RtNa/6wqFxwPnNbB7WMiwSk4fHaeZcRXV1RbPR7rc3l5whj455mk7KSTy7 786YfKSldMV1OPebL+vHGkG3A5x50AiKNv4+hqq9Ei98TBncpopxGp59biHQUT4XwVWe YoZotNRn6cQUJdO5nfjzpnnqW+2rXOPuNHvxRWfAs4TbcQ470oHyKBJTS0mNYZW1ABS9 QGig== X-Gm-Message-State: APjAAAUd/iZ3Hij2yjEZfhqUBChdvn1ib+xiXe9RebJ7KTeWKctsbXmU tPLhGfXRNgHCiZyZ6jWhjFCOAXxK0mTC/hhM4Yx8zg89cQU= X-Google-Smtp-Source: APXvYqwSumc9BZezj3LurXxgZVTjAEq/Y1CEQG1zvBxeyGLdMCnFYd+3CjnWV2bZyryhVKUBjoOLN6lRtw+lYoMGok4= X-Received: by 2002:a05:6102:519:: with SMTP id l25mr4543444vsa.222.1573159763549; Thu, 07 Nov 2019 12:49:23 -0800 (PST) MIME-Version: 1.0 From: Phil Staub Date: Thu, 7 Nov 2019 15:48:47 -0500 Message-ID: Subject: NAT for use with OpenVPN To: freebsd-pf@freebsd.org X-Rspamd-Queue-Id: 478FrP21Q9z4K0Y X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=staub-us.20150623.gappssmtp.com header.s=20150623 header.b=FR2ejGzh; dmarc=none; spf=pass (mx1.freebsd.org: domain of pestaub@gmail.com designates 2607:f8b0:4864:20::e29 as permitted sender) smtp.mailfrom=pestaub@gmail.com X-Spamd-Result: default: False [-3.01 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[staub-us.20150623.gappssmtp.com:s=20150623]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; URI_COUNT_ODD(1.00)[1]; RCPT_COUNT_ONE(0.00)[1]; DMARC_NA(0.00)[staub.us]; DKIM_TRACE(0.00)[staub-us.20150623.gappssmtp.com:+]; RCVD_IN_DNSWL_NONE(0.00)[9.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; HTTP_TO_IP(1.00)[]; IP_SCORE(-2.81)[ip: (-9.63), ipnet: 2607:f8b0::/32(-2.35), asn: 15169(-2.01), country: US(-0.05)]; FORGED_SENDER(0.30)[phil@staub.us,pestaub@gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[phil@staub.us,pestaub@gmail.com]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Nov 2019 20:49:26 -0000 I'm attempting to set up OpenVPN on a FreeBSD 12.1-RELEASE box. I'd like for it to allow remote clients to access the internet via the server box's connection. It appears that OpenVPN is working, because new connections are logged, but I also get this message in the log: Thu Nov 7 15:43:17 2019 us=289157 han/67.175.144.37:61307 MULTI: bad source address from client [::], packet dropped And the attached client doesn't have internet access. SO, I'm assuming I need to set up PF to NAT between tun0 and em0. I tried looking in the FreeBSD handbook in the chapter on PF, but that's like drinking from a fire hose, and I'm sure there is much more detail there than I need to know. Can someone point me to a concise description of how to achieve this? Thanks, Phil From owner-freebsd-pf@freebsd.org Sat Nov 9 19:02:43 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1360B17944B for ; Sat, 9 Nov 2019 19:02:43 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: from mail-vs1-xe43.google.com (mail-vs1-xe43.google.com [IPv6:2607:f8b0:4864:20::e43]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 479RNK3rZlz43cD for ; Sat, 9 Nov 2019 19:02:41 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: by mail-vs1-xe43.google.com with SMTP id m9so6120297vsq.7 for ; Sat, 09 Nov 2019 11:02:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=staub-us.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=16OFq4zV20zBruUlIrOjhLoXfFNgAQfC0CghxZoorbg=; b=OI38UTfPLzuOUk54wD0RxejO05Mja+I2NuazILiXC2R/KWgr48PrIrCdeKFxerbfBN s22C+z/DynPRTN7BoFyFaThMNBxdsoWiCeh1eW3FmAps7Iwpdtq2+e17ZvTau88OQ8zi wolfdGYP2+3q/Pke/odjhoInTdThej2UvXbn6F4arcFNVr/jEJe99mRNJw3ZrIaSexf9 ql5Tx7RSpiPMvtmpbdhqHCEyJjbJVmoaDExOAUUHbWk0FOlJhluZZtLEB+2OtlsigQra 0iV2sGFLyeVCZHrPOXzo1k5BZ/K4copKhs5c62Oj+nsAmClVKQCo/sUz+hm4qTZ3YAPR y/4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=16OFq4zV20zBruUlIrOjhLoXfFNgAQfC0CghxZoorbg=; b=uTb5Q/9rAxfG8ULlXVKm3axQSlKES/MpPDbjlT+N7il9Vlnq/lqF3BRKSOAsi0Emqb s9j1vr+JNpvm8mtJkLtg+6kublrtuk8GXHY71upvLKBsxqyP5obwmm9r73cFYkXoddA/ FmTIKA1a4Xh4pSMh6+A3xLZX7S8Wej02mw/k30fBv7W9v3V8GsNDdyJglQDDtfqdBlz/ v4vTETP28pPzdhfGGyDCK0aYDB0JWFF1Rv7lzaSM6z/AGcpIiQ5vTXXeus3z50Qg7s2R ad5BbvzBfPOgG/WrRTbSDjVKfBUZvW26bSp2H8Qd3uLYPil7PfJOFRSuzH2gXF2rA8/X B71g== X-Gm-Message-State: APjAAAXlILIVrI0IbADLekJwLLMVnRPkZvLw6iX4vmJZ7twmY5EJFk8b 1YBGCzxEb92TBl3+R79oz8AjJOBXBqhqYcs4yVUfhkLR6ks= X-Google-Smtp-Source: APXvYqxEQXa6uxiurM+SxlMO+GRCKxWocX2OuFzWZNYkS64r96Nox9SnJHiHCPM59mNq8lFgdHIFcbyXaqqKpKFZp0M= X-Received: by 2002:a67:f2d9:: with SMTP id a25mr13574864vsn.106.1573326159701; Sat, 09 Nov 2019 11:02:39 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Phil Staub Date: Sat, 9 Nov 2019 14:02:02 -0500 Message-ID: Subject: Re: NAT for use with OpenVPN To: freebsd-pf@freebsd.org X-Rspamd-Queue-Id: 479RNK3rZlz43cD X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=staub-us.20150623.gappssmtp.com header.s=20150623 header.b=OI38UTfP; dmarc=none; spf=pass (mx1.freebsd.org: domain of pestaub@gmail.com designates 2607:f8b0:4864:20::e43 as permitted sender) smtp.mailfrom=pestaub@gmail.com X-Spamd-Result: default: False [-0.45 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.87)[-0.874,0]; R_DKIM_ALLOW(-0.20)[staub-us.20150623.gappssmtp.com:s=20150623]; NEURAL_HAM_LONG(-1.00)[-0.995,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; URI_COUNT_ODD(1.00)[1]; RCPT_COUNT_ONE(0.00)[1]; DMARC_NA(0.00)[staub.us]; DKIM_TRACE(0.00)[staub-us.20150623.gappssmtp.com:+]; RCVD_IN_DNSWL_NONE(0.00)[3.4.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; HTTP_TO_IP(1.00)[]; IP_SCORE(-0.38)[ip: (2.47), ipnet: 2607:f8b0::/32(-2.34), asn: 15169(-2.00), country: US(-0.05)]; FORGED_SENDER(0.30)[phil@staub.us,pestaub@gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[phil@staub.us,pestaub@gmail.com]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Nov 2019 19:02:43 -0000 Further investigation suggests that I needed to add client-config-dir to my OpenVPN server.conf file and create a client file with ifconfig-push in it to eliminate the 'bad source address" warning. However, I am still unable to get the NAT to work. I've been staring at the PF chapter in the handbook, and I can't get a good handle on how the example they provide works so that I can modify it for my use. Here is the example I'm trying to parse: ext_if = "xl0" # macro for external interface - use tun0 for PPPoE int_if = "xl1" # macro for internal interface localnet = $int_if:network # ext_if IP address could be dynamic, hence ($ext_if) nat on $ext_if from $localnet to any -> ($ext_if) block all pass from { lo0, $localnet } to any keep state In my case, I'm using "tun0" as the internal interface and "em0" as the external interface. I also specify the (fixed) address of my server on my local address. However, this is clearly not what is needed, because the 'block all' locks out everything trying to access the server machine from other machines on the local net. So I removed the 'block all'. I also made a couple of other modifications. Here's what I have now: ext_if = "em0" # macro for external interface - use tun0 for PPPoE int_if = "tun0" # macro for internal interface localnet = $int_if:network nat on $ext_if from $localnet to any -> pass from $localnet to any keep state This seems to be working, except that I get some warnings in the OpenVPN log about "PID_ERR replay-window backtrack occurred [1] [SSL-0]" Three questions: 1. Is this error something I need to be concerned about? 2. Since the router I have between the server machine and the internet has a firewall, do I need to worry about any other rules in the pf ruleset? (i.e. is it safe to use my modified version of the handbook example?) 3. I don't intend to change the server machine's IP address, so I eliminated the "($ext_if)" and replaced it with the server's static address. Using the ($ext_if) and running pfctl -vnf /etc/pf.conf results in reporting "(em0) round robin" instead of the actual IP of the server. This seems to work, but is it really necessary? Thanks, Phil On Thu, Nov 7, 2019 at 3:48 PM Phil Staub wrote: > I'm attempting to set up OpenVPN on a FreeBSD 12.1-RELEASE box. I'd like > for it to allow remote clients to access the internet via the server box's > connection. It appears that OpenVPN is working, because new connections are > logged, but I also get this message in the log: > > Thu Nov 7 15:43:17 2019 us=289157 han/67.175.144.37:61307 MULTI: bad > source address from client [::], packet dropped > > And the attached client doesn't have internet access. > > SO, I'm assuming I need to set up PF to NAT between tun0 and em0. > > I tried looking in the FreeBSD handbook in the chapter on PF, but that's > like drinking from a fire hose, and I'm sure there is much more detail > there than I need to know. > > Can someone point me to a concise description of how to achieve this? > > Thanks, > Phil > > From owner-freebsd-pf@freebsd.org Sat Nov 9 19:41:18 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E921A17ABD6 for ; Sat, 9 Nov 2019 19:41:18 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from keymaster.local (ns1.xn--wesstrm-f1a.se [IPv6:2a00:d880:5:1b9::8526]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "keymaster.pp.dyndns.biz", Issuer "keymaster.pp.dyndns.biz" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 479SDr0BsHz45GG for ; Sat, 9 Nov 2019 19:41:15 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from [192.168.69.69] ([192.168.69.69]) by keymaster.local (8.15.2/8.15.2) with ESMTP id xA9Jf6rh091939 for ; Sat, 9 Nov 2019 20:41:06 +0100 (CET) (envelope-from freebsd-database@pp.dyndns.biz) Subject: Re: NAT for use with OpenVPN To: freebsd-pf@freebsd.org References: From: =?UTF-8?Q?Morgan_Wesstr=c3=b6m?= Message-ID: <29c23717-a53c-903d-0a94-fd809eee09bc@pp.dyndns.biz> Date: Sat, 9 Nov 2019 20:41:05 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 479SDr0BsHz45GG X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd-database@pp.dyndns.biz has no SPF policy when checking 2a00:d880:5:1b9::8526) smtp.mailfrom=freebsd-database@pp.dyndns.biz X-Spamd-Result: default: False [2.23 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.55)[-0.553,0]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; IP_SCORE(-0.07)[asn: 198203(-0.36), country: NL(0.02)]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; NEURAL_SPAM_LONG(0.65)[0.652,0]; HFILTER_HELO_IP_A(1.00)[keymaster.local]; R_SPF_NA(0.00)[]; DMARC_NA(0.00)[pp.dyndns.biz]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:198203, ipnet:2a00:d880::/32, country:NL]; MID_RHS_MATCH_FROM(0.00)[]; HFILTER_HELO_NORES_A_OR_MX(0.30)[keymaster.local]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Nov 2019 19:41:19 -0000 I was hoping someone more experienced than myself would chip in and help you but since I run a similar setup I'll show you my configuration. I'm not perfectly clear on your physical network layout so you have to adapt my suggestions as needed. I run my OpenVPN server on the same physical machine as my router/firewall. Here are the needed parts from /etc/pf.conf ext_if = "em0" vpn_if = "tun0" The following two rules take care of all nat: nat on $ext_if inet proto udp from !($ext_if) to any -> ($ext_if) static-port nat on $ext_if inet from !($ext_if) to any -> ($ext_if) port 1024:65535 The ! is a logical NOT so the rules will nat from any interface that is NOT em0 to my external interface em0. I nat udp separately to force it to keep the source and destination ports. You need to allow inbound traffic on the OpenVPN port: pass in quick on $ext_if proto udp from any to ($ext_if) port 1194 keep state You also need to pass traffic on the tun interface. I trust my clients so I pass everything. pass quick on $vpn_if all Those are all the OpenVPN related rules I have in /etc/pf.conf. I don't run IPv6 over my OpenVPN so you need to allow for that if needed. My OpenVPN config is short and pretty standard. I push the default gateway to my clients to force all traffic from them to actually go through the tunnel. You need to adjust your OpenVPN network address, LAN DOMAIN name and your DNS server address. port 1194 proto udp4 dev tun0 ca ca.crt cert server.crt key server.key dh dh1024.pem server 192.168.169.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DOMAIN local" push "dhcp-option DNS 192.168.69.2" keepalive 10 120 user nobody group nobody persist-key persist-tun status /dev/null log-append openvpn.log verb 3 > This seems to be working, except that I get some warnings in the OpenVPN > log about "PID_ERR replay-window backtrack occurred [1] [SSL-0]" > > Three questions: > > 1. Is this error something I need to be concerned about? I have not seen this error. Someone more knowledgable in OpenVPN need to help you here. > 2. Since the router I have between the server machine and the internet has > a firewall, do I need to worry about any other rules in the pf ruleset? > (i.e. is it safe to use my modified version of the handbook example?) Are you running OpenVPN on a separate machine behind your router/firewall? Does it too run FreeBSD? Does it have pf enabled? If your OpenVPN server is on a machine behind the router/firewall you need an rdr rule to forward port 1194 from your router to the correct machine and the pass rule for traffic on port 1194 would need to refer to the OpenVPN server ip instead of ext_if. The pass rule for tun0 would not be needed. This is different from how I run my setup and additional configuration would be needed on the OpenVPN server itself if you have enabled pf on it. > 3. I don't intend to change the server machine's IP address, so I > eliminated the "($ext_if)" and replaced it with the server's static > address. Using the ($ext_if) and running pfctl -vnf /etc/pf.conf results in > reporting "(em0) round robin" instead of the actual IP of the server. This > seems to work, but is it really necessary? As I understand it it's helpful to people who run dynamic ip addresses on their external interfaces. Regards Morgan From owner-freebsd-pf@freebsd.org Sat Nov 9 21:31:50 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9510F17DC6A for ; Sat, 9 Nov 2019 21:31:50 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: from mail-vk1-xa32.google.com (mail-vk1-xa32.google.com [IPv6:2607:f8b0:4864:20::a32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 479VhP3sqnz4BSm for ; Sat, 9 Nov 2019 21:31:49 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: by mail-vk1-xa32.google.com with SMTP id r4so2323086vkf.9 for ; Sat, 09 Nov 2019 13:31:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=staub-us.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=EgD9k36ixiuxq0N6NTcbL78xkxeTXfMBjZZaZuU2u8U=; b=Wt1TDewT82jyvh6pluDrZDzWAdRiphdOyUdpXte3eW/Tdbt1Fz9XW3TZNMgZrW2R2R X6fK3tfiSZ3FU4w5bLXW06/zQGtt3CUvE0zpvBhNzjNQrsLLzQsiPSDZLXWxSjJWseTk frdrM+NWbNkd59FA1TPH1UZ87ar+Fi00PbUttVxx4Wo2fmaStMDpg0tjrLvdwmZs2FK/ eogd47VT9gkApL07zwhuXCXjw2wVQZ7vSUTVj5/wjltfIBDbFAOyfjd4ncgOor046SnU Ba3kwPCgu2KO9El/jy9sd0NcXYlecmXn+Ce1Hfo9cdnIect4RXqNxVzGm8rLqlZUzCWl jLkg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=EgD9k36ixiuxq0N6NTcbL78xkxeTXfMBjZZaZuU2u8U=; b=AJNn4TGRqbhG6XLGMUOT3WacVCW0U+n2ttxZ0GqGpgk33y00S5VLsk5iXo1tVYhr3m C5RTcWsKl/faZ5RtHKwoU1BUyE/ylr8sOv2+opxQ8vdS5En+sE3yHPvwFinS6m8KtHie LBJ9Y1oteAoAbsQIQ8Yd3Tkx6vGnNYhQednDAi3dEqmf4XqkES6L0C5OuYN1VvjlQipP 1VgiMYSonakbvg5Gy0403HQufQBvqPyQtzYUdQqCZhpcE2cnTiYCGg4Aq0S+uLPpGWoa NNiWc5pg/OEaLND0SA25xd5Yc+WIMnmNqKo1jDVj5Uio4CdB7uWVsuoBU0L9YvQ3BvIr wESA== X-Gm-Message-State: APjAAAXa8byt8WB7sas0jv2e+Hx9y18i8rksL9kk3WMuCRN85oes24pn oNwtkt4qc70X5mDoH/DOlHk7cP3cc3Qyx+7WAIeXsFjC X-Google-Smtp-Source: APXvYqwvPrteQl75L5uOnPbH7V7OwCLw4VAnsll5Jcjtw0EazQUPjpMwd3UDsU1MDhjU8wUC+AZPttfWiyFEMNMtqUc= X-Received: by 2002:a1f:9705:: with SMTP id z5mr12622064vkd.46.1573335107655; Sat, 09 Nov 2019 13:31:47 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Phil Staub Date: Sat, 9 Nov 2019 16:31:10 -0500 Message-ID: Subject: Re: NAT for use with OpenVPN To: freebsd-pf@freebsd.org X-Rspamd-Queue-Id: 479VhP3sqnz4BSm X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=staub-us.20150623.gappssmtp.com header.s=20150623 header.b=Wt1TDewT; dmarc=none; spf=pass (mx1.freebsd.org: domain of pestaub@gmail.com designates 2607:f8b0:4864:20::a32 as permitted sender) smtp.mailfrom=pestaub@gmail.com X-Spamd-Result: default: False [-2.93 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.996,0]; R_DKIM_ALLOW(-0.20)[staub-us.20150623.gappssmtp.com:s=20150623]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; URI_COUNT_ODD(1.00)[3]; RCPT_COUNT_ONE(0.00)[1]; DMARC_NA(0.00)[staub.us]; DKIM_TRACE(0.00)[staub-us.20150623.gappssmtp.com:+]; RCVD_IN_DNSWL_NONE(0.00)[2.3.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; HTTP_TO_IP(1.00)[]; IP_SCORE(-2.73)[ip: (-9.27), ipnet: 2607:f8b0::/32(-2.34), asn: 15169(-2.00), country: US(-0.05)]; FORGED_SENDER(0.30)[phil@staub.us,pestaub@gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[phil@staub.us,pestaub@gmail.com]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Nov 2019 21:31:50 -0000 Looks like I spoke too soon that I had it working. See comments inline, including a note to Morgan Wesstrom. On Sat, Nov 9, 2019 at 2:02 PM Phil Staub wrote: > Further investigation suggests that I needed to add client-config-dir to > my OpenVPN server.conf file and create a client file with ifconfig-push in > it to eliminate the 'bad source address" warning. However, I am still > unable to get the NAT to work. I've been staring at the PF chapter in the > handbook, and I can't get a good handle on how the example they provide > works so that I can modify it for my use. > > Here is the example I'm trying to parse: > > ext_if = "xl0" # macro for external interface - use tun0 for PPPoE > int_if = "xl1" # macro for internal interface > localnet = $int_if:network > # ext_if IP address could be dynamic, hence ($ext_if) > nat on $ext_if from $localnet to any -> ($ext_if) > block all > pass from { lo0, $localnet } to any keep state > > > In my case, I'm using "tun0" as the internal interface and "em0" as the > external interface. I also specify the (fixed) address of my server on my > local address. > > However, this is clearly not what is needed, because the 'block all' locks > out everything trying to access the server machine from other machines on > the local net. > > So I removed the 'block all'. I also made a couple of other modifications. > Here's what I have now: > > ext_if = "em0" # macro for external interface - use tun0 for PPPoE > int_if = "tun0" # macro for internal interface > localnet = $int_if:network > > nat on $ext_if from $localnet to any -> > pass from $localnet to any keep state > > This seems to be working, except that I get some warnings in the OpenVPN > log about "PID_ERR replay-window backtrack occurred [1] [SSL-0]" > > Haven't seen this error for a while, but something I've changed along the way has broken it again. I see the reply from Morgan Wesstrom. I'm having trouble responding to it so far. I guess I don't have my list options set right. Anyway, Morgan, I appreciate your comments and I'll respond in more detail, but one of the things I know you asked was about the physical configuration of my setup., so I'll describe that here. Internet -> Arris 6141 modem -> Netgear R6400.2 router/firewall -> threepio.mynetgear.com (FreeBSD) I don't use the VPN on the Netgear router, because I don't believe it can be configured with custom keys and certificates. My old ASUS router had OpenVPN running on it and could be re-configured. That served me well for several years, but it died last week. I selected the Netgear partially because it was advertised to have VPN capability. threepio is one of several machines on my local network inside the firewall. I have two laptops (one Ubuntu, the other dual-boot Windows and Ubuntu) that I use when I'm away from home and use OpenVPN on them. I also use OpenVPN on my smartphones. I haven't had time to digest all of your reply yet, but I'll study it some more and try some more experiments based on your comments. Thanks again. Phil Three questions: > > 1. Is this error something I need to be concerned about? > > 2. Since the router I have between the server machine and the internet has > a firewall, do I need to worry about any other rules in the pf ruleset? > (i.e. is it safe to use my modified version of the handbook example?) > > 3. I don't intend to change the server machine's IP address, so I > eliminated the "($ext_if)" and replaced it with the server's static > address. Using the ($ext_if) and running pfctl -vnf /etc/pf.conf results in > reporting "(em0) round robin" instead of the actual IP of the server. This > seems to work, but is it really necessary? > > Thanks, > Phil > > > On Thu, Nov 7, 2019 at 3:48 PM Phil Staub wrote: > >> I'm attempting to set up OpenVPN on a FreeBSD 12.1-RELEASE box. I'd like >> for it to allow remote clients to access the internet via the server box's >> connection. It appears that OpenVPN is working, because new connections are >> logged, but I also get this message in the log: >> >> Thu Nov 7 15:43:17 2019 us=289157 han/67.175.144.37:61307 MULTI: bad >> source address from client [::], packet dropped >> >> And the attached client doesn't have internet access. >> >> SO, I'm assuming I need to set up PF to NAT between tun0 and em0. >> >> I tried looking in the FreeBSD handbook in the chapter on PF, but that's >> like drinking from a fire hose, and I'm sure there is much more detail >> there than I need to know. >> >> Can someone point me to a concise description of how to achieve this? >> >> Thanks, >> Phil >> >> From owner-freebsd-pf@freebsd.org Sat Nov 9 22:07:44 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3869B17EC96 for ; Sat, 9 Nov 2019 22:07:44 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from keymaster.local (ns1.xn--wesstrm-f1a.se [IPv6:2a00:d880:5:1b9::8526]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "keymaster.pp.dyndns.biz", Issuer "keymaster.pp.dyndns.biz" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 479WTn5y2zz4DmZ for ; Sat, 9 Nov 2019 22:07:41 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from [192.168.69.69] ([192.168.69.69]) by keymaster.local (8.15.2/8.15.2) with ESMTP id xA9M7ZWa092418 for ; Sat, 9 Nov 2019 23:07:36 +0100 (CET) (envelope-from freebsd-database@pp.dyndns.biz) Subject: Re: NAT for use with OpenVPN To: freebsd-pf@freebsd.org References: From: =?UTF-8?Q?Morgan_Wesstr=c3=b6m?= Message-ID: <3011932d-4fa2-6c25-4622-3d509cac8c11@pp.dyndns.biz> Date: Sat, 9 Nov 2019 23:07:32 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 479WTn5y2zz4DmZ X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd-database@pp.dyndns.biz has no SPF policy when checking 2a00:d880:5:1b9::8526) smtp.mailfrom=freebsd-database@pp.dyndns.biz X-Spamd-Result: default: False [2.36 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.65)[-0.651,0]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; IP_SCORE(-0.07)[asn: 198203(-0.35), country: NL(0.02)]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; NEURAL_SPAM_LONG(0.88)[0.881,0]; HFILTER_HELO_IP_A(1.00)[keymaster.local]; R_SPF_NA(0.00)[]; HFILTER_HELO_NORES_A_OR_MX(0.30)[keymaster.local]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:198203, ipnet:2a00:d880::/32, country:NL]; MID_RHS_MATCH_FROM(0.00)[]; DMARC_NA(0.00)[pp.dyndns.biz]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Nov 2019 22:07:44 -0000 > Internet -> Arris 6141 modem -> Netgear R6400.2 router/firewall -> > threepio.mynetgear.com (FreeBSD) Ah, you have a standalone SOHO router. That changes things drastically. :) I assume the computers on your LAN (including FreeBSD) have private IP addresses (192.168.x.x)? In that case your Netgear router is doing the NAT for you and you don't need to worry about that part. - You need to forward port 1194/udp (or whatever you chose for OpenVPN) in your Netgear router so it points to the IP address of your FreeBSD machine. Consult the router's manual how to do port forwarding. - The firewall in the Netgear router also needs to allow incoming connections on this port. It's probably setup along with the port forwarding but once again you need to consult the Netgear manual. - You can disable pf on your FreeBSD machine unless you absolutely want an extra firewall to protect it. I strongly suggest you disable it at this point though until you have the OpenVPN server running. It's protected behind your Netgear router. So to sum up: - Configure firewall and port forwarding in your Netgear router. - Configure the OpenVPN server on FreeBSD. One caveat to look out for: I'm not familiar with your Arris modem. Make sure it doesn't do routing and NAT too so you have two layers of NAT since that would complicate things. Make sure your modem is in bridge mode and that your Netgear router has a public IP address on the interface connected to the modem. Regards Morgan From owner-freebsd-pf@freebsd.org Sat Nov 9 22:15:18 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1322117F0F2 for ; Sat, 9 Nov 2019 22:15:18 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from keymaster.local (ns1.xn--wesstrm-f1a.se [IPv6:2a00:d880:5:1b9::8526]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "keymaster.pp.dyndns.biz", Issuer "keymaster.pp.dyndns.biz" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 479WfY2g1Jz4FTD for ; Sat, 9 Nov 2019 22:15:16 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from [192.168.69.69] ([192.168.69.69]) by keymaster.local (8.15.2/8.15.2) with ESMTP id xA9MFFJJ092452 for ; Sat, 9 Nov 2019 23:15:15 +0100 (CET) (envelope-from freebsd-database@pp.dyndns.biz) Subject: Re: NAT for use with OpenVPN To: freebsd-pf@freebsd.org References: From: =?UTF-8?Q?Morgan_Wesstr=c3=b6m?= Message-ID: Date: Sat, 9 Nov 2019 23:15:15 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 479WfY2g1Jz4FTD X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd-database@pp.dyndns.biz has no SPF policy when checking 2a00:d880:5:1b9::8526) smtp.mailfrom=freebsd-database@pp.dyndns.biz X-Spamd-Result: default: False [2.12 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.63)[-0.633,0]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; IP_SCORE(-0.06)[asn: 198203(-0.33), country: NL(0.02)]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; NEURAL_SPAM_LONG(0.61)[0.613,0]; HFILTER_HELO_IP_A(1.00)[keymaster.local]; R_SPF_NA(0.00)[]; DMARC_NA(0.00)[pp.dyndns.biz]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:198203, ipnet:2a00:d880::/32, country:NL]; MID_RHS_MATCH_FROM(0.00)[]; HFILTER_HELO_NORES_A_OR_MX(0.30)[keymaster.local]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Nov 2019 22:15:18 -0000 Phil, I forgot... OpenVPN needs its own subnet in the config file. Make sure you don't use the same subnet as your LAN uses because that would confuse the routing and could result in the behaviour you describe in your initial post. Data would reach the server but return packets wouldn't find their way back onto the Internet. I would need to see your OpenVPN config and details about the subnets you use to spot any errors. /Morgan