From owner-freebsd-questions@freebsd.org  Wed Apr 24 10:01:57 2019
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id A6C5A1593A3E
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Wed, 24 Apr 2019 10:01:57 +0000 (UTC)
 (envelope-from srs0=6mtt=s2=mail.sermon-archive.info=doug@sermon-archive.info)
Received: from mail.sermon-archive.info (sermon-archive.info [71.177.216.148])
 by mx1.freebsd.org (Postfix) with ESMTP id BEA53855E5;
 Wed, 24 Apr 2019 10:01:56 +0000 (UTC)
 (envelope-from srs0=6mtt=s2=mail.sermon-archive.info=doug@sermon-archive.info)
Received: from [10.0.1.251] (mini [10.0.1.251])
 by mail.sermon-archive.info (Postfix) with ESMTPSA id 44pwpB28rLz2fjPs;
 Wed, 24 Apr 2019 03:01:54 -0700 (PDT)
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
Subject: Re: openvpn
From: Doug Hardie <bc979@lafn.org>
In-Reply-To: <CAAdA2WOckOyQ4j89a54Be3DQFpzpyE1h1ZADgG_WgP9eSMxQ1g@mail.gmail.com>
Date: Wed, 24 Apr 2019 03:01:53 -0700
Cc: Richard Gallamore <ultima@freebsd.org>, Doug Hardie <bc979@lafn.org>,
 Karl Denninger <karl@denninger.net>,
 FreeBSD Mailing List <freebsd-questions@freebsd.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <A51699CB-3766-4B2A-A1C1-D49A98AEACEB@mail.sermon-archive.info>
References: <0A8436BD-EFB8-4A54-B920-329096B89C5B@mail.sermon-archive.info>
 <a2326e8d-5d5c-6030-7d10-72dee3216f8a@denninger.net>
 <3D10CD79-CAE0-419A-9197-745B1A88FA30@mail.sermon-archive.info>
 <CANJ8om638JwJwUpwSXR=G-m_sfi_P66WvYm_b2V7xXiYL1dTJQ@mail.gmail.com>
 <CAAdA2WOckOyQ4j89a54Be3DQFpzpyE1h1ZADgG_WgP9eSMxQ1g@mail.gmail.com>
To: Odhiambo Washington <odhiambo@gmail.com>
X-Mailer: Apple Mail (2.3445.104.8)
X-Virus-Scanned: clamav-milter 0.100.2 at mail
X-Virus-Status: Clean
X-Rspamd-Queue-Id: BEA53855E5
X-Spamd-Bar: /
Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of
 srs0=6mtt=s2=mail.sermon-archive.info=doug@sermon-archive.info designates
 71.177.216.148 as permitted sender)
 smtp.mailfrom=srs0=6mtt=s2=mail.sermon-archive.info=doug@sermon-archive.info
X-Spamd-Result: default: False [-0.85 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-0.96)[-0.962,0];
 FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:71.177.216.148];
 MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain];
 IP_SCORE(-0.04)[asn: 5650(-0.12), country: US(-0.06)];
 NEURAL_HAM_LONG(-0.93)[-0.930,0]; RCPT_COUNT_FIVE(0.00)[5];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[];
 MX_GOOD(-0.01)[cached: sermon-archive.info];
 RCVD_IN_DNSWL_NONE(0.00)[148.216.177.71.list.dnswl.org : 127.0.10.0];
 NEURAL_SPAM_SHORT(0.49)[0.489,0];
 FORGED_SENDER(0.30)[bc979@lafn.org,srs0=6mtt=s2=mail.sermon-archive.info=doug@sermon-archive.info];
 FREEMAIL_TO(0.00)[gmail.com]; RCVD_NO_TLS_LAST(0.10)[];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:5650, ipnet:71.177.216.0/23, country:US];
 FROM_NEQ_ENVFROM(0.00)[bc979@lafn.org,srs0=6mtt=s2=mail.sermon-archive.info=doug@sermon-archive.info];
 RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Apr 2019 10:01:57 -0000

> On 24 April 2019, at 02:51, Odhiambo Washington <odhiambo@gmail.com> =
wrote:
>=20
>=20
>=20
> On Wed, 24 Apr 2019 at 10:51, Richard Gallamore <ultima@freebsd.org> =
wrote:
> Hello Doug,
>=20
> I am suspect of the system not being configured as a router, aka =
sysctl
> values should be set to net.inet.ip.forwarding: 1 and
> net.inet6.ip6.forwarding: 1 (for v6 traffic) to allow packets to be
> forwarded. If you add /etc/rc.conf, file /etc/sysctl.conf,
> /boot/loader.conf and pf.conf or ipfw configuration it will help =
greatly in
> understanding your configuration if this doesn't work.
>=20
> Best regards,
> Richard Gallamore
>=20
> +1=20
>=20
> --=20

I don't believe that will accomplish anything.  First of all there is =
only one network interface.  The packets are received by openvpn, =
decrypted and then originated to the server in the clear.  There is no =
packet forwarding required.  Second, If I use telnet from the remote =
client to the server through the VPN, I do get a connection and it does =
receive responses.  When using port 25, postfix is reporting some =
invalid characters in the very first packet.  Those are logged and they =
are definitely invalid.  After that, the data is sent properly.  SSH =
does not appear to have that issue, but the responses never are visible =
on the client.  The response packets are arriving at the client.  They =
are correct between the server and openvpn.

Just for the record inet forwarding is set to 1. inet6 is not used.  =
This is entirely IPv4.  pf is not enabled on the server.  It is on the =
openvpn machine, but only resticts mail from a few servers that are =
black holed.