Date: Sat, 9 Nov 2019 20:41:05 +0100 From: =?UTF-8?Q?Morgan_Wesstr=c3=b6m?= <freebsd-database@pp.dyndns.biz> To: freebsd-pf@freebsd.org Subject: Re: NAT for use with OpenVPN Message-ID: <29c23717-a53c-903d-0a94-fd809eee09bc@pp.dyndns.biz> In-Reply-To: <CAMnCm8hQFC3PmJfRU5x_07zLZjUwKtXMGCSf6B-N4K6kR14Bgg@mail.gmail.com> References: <CAMnCm8jmZJ6r8f_byUUMOmPr%2B3QeH_xB1zCx_SD%2BHvc2YF55Vw@mail.gmail.com> <CAMnCm8hQFC3PmJfRU5x_07zLZjUwKtXMGCSf6B-N4K6kR14Bgg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I was hoping someone more experienced than myself would chip in and help you but since I run a similar setup I'll show you my configuration. I'm not perfectly clear on your physical network layout so you have to adapt my suggestions as needed. I run my OpenVPN server on the same physical machine as my router/firewall. Here are the needed parts from /etc/pf.conf ext_if = "em0" vpn_if = "tun0" The following two rules take care of all nat: nat on $ext_if inet proto udp from !($ext_if) to any -> ($ext_if) static-port nat on $ext_if inet from !($ext_if) to any -> ($ext_if) port 1024:65535 The ! is a logical NOT so the rules will nat from any interface that is NOT em0 to my external interface em0. I nat udp separately to force it to keep the source and destination ports. You need to allow inbound traffic on the OpenVPN port: pass in quick on $ext_if proto udp from any to ($ext_if) port 1194 keep state You also need to pass traffic on the tun interface. I trust my clients so I pass everything. pass quick on $vpn_if all Those are all the OpenVPN related rules I have in /etc/pf.conf. I don't run IPv6 over my OpenVPN so you need to allow for that if needed. My OpenVPN config is short and pretty standard. I push the default gateway to my clients to force all traffic from them to actually go through the tunnel. You need to adjust your OpenVPN network address, LAN DOMAIN name and your DNS server address. port 1194 proto udp4 dev tun0 ca ca.crt cert server.crt key server.key dh dh1024.pem server 192.168.169.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DOMAIN local" push "dhcp-option DNS 192.168.69.2" keepalive 10 120 user nobody group nobody persist-key persist-tun status /dev/null log-append openvpn.log verb 3 > This seems to be working, except that I get some warnings in the OpenVPN > log about "PID_ERR replay-window backtrack occurred [1] [SSL-0]" > > Three questions: > > 1. Is this error something I need to be concerned about? I have not seen this error. Someone more knowledgable in OpenVPN need to help you here. > 2. Since the router I have between the server machine and the internet has > a firewall, do I need to worry about any other rules in the pf ruleset? > (i.e. is it safe to use my modified version of the handbook example?) Are you running OpenVPN on a separate machine behind your router/firewall? Does it too run FreeBSD? Does it have pf enabled? If your OpenVPN server is on a machine behind the router/firewall you need an rdr rule to forward port 1194 from your router to the correct machine and the pass rule for traffic on port 1194 would need to refer to the OpenVPN server ip instead of ext_if. The pass rule for tun0 would not be needed. This is different from how I run my setup and additional configuration would be needed on the OpenVPN server itself if you have enabled pf on it. > 3. I don't intend to change the server machine's IP address, so I > eliminated the "($ext_if)" and replaced it with the server's static > address. Using the ($ext_if) and running pfctl -vnf /etc/pf.conf results in > reporting "(em0) round robin" instead of the actual IP of the server. This > seems to work, but is it really necessary? As I understand it it's helpful to people who run dynamic ip addresses on their external interfaces. Regards Morgan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?29c23717-a53c-903d-0a94-fd809eee09bc>