Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 27 Aug 2017 10:42:47 -0700
From:      Ultima <ultima1252@gmail.com>
To:        Ian Smith <smithi@nimnet.asn.au>
Cc:        Fongaboo <freebsd@fongaboo.com>,  FreeBSD Mailing List <freebsd-questions@freebsd.org>
Subject:   Re: STUMPED: Setting up OpenVPN server on FreeBSD (self.freebsd)
Message-ID:  <CANJ8om5GLVFZib4uPLgK4M2WW7HEeH8k5mHzo_S0hDN-D2CS=Q@mail.gmail.com>
In-Reply-To: <20170827164229.W23641@sola.nimnet.asn.au>
References:  <mailman.1203.1503788746.74519.freebsd-questions@freebsd.org> <20170827164229.W23641@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help 
>From pf.conf:
> pass from { lo0, $localnet } to any keep state
This rule would probably work if it was in proper order and contain
"quick". It should also be in the --- INCOMING --- section.
Normally pf will warn when the rules are out of order. lo0 should
be removed as it has set skip, and I would change it to pass in.
To sum it up:

pf.conf:
pass in quick from $localnet to any keep state

Moved to the incoming section.

The main issue is that the bottom default rule "block log all"
triumphs over any rule defined above that does not contain the
"quick" declaration.

>From rc.conf:
#gateway_enable="YES"
This should be uncommented. When you use openvpn with this
kind of configuration. I would check sysctl net.inet.ip.forwarding
and make sure it is "1" which is essentially what gateway_enable
does.

In general I suggest changing a couple other things if you want the
system to work after each restart. I find that relying on the :network
translation in pf often can break things and is better to be hard
coded where possible. It is also better to create the interface in
rc.conf and give openvpn the interface instead of letting openvpn
take care of all that. This can be done like so:

rc.conf:
cloned_interfaces="tun0"
ifconfig_tun0="up" # This is probably not needed, but better to be safe.

openvpn.conf:
dev tun0 # I don't think this is needed with the below, but I prefer to
be thorough
dev-type tun
dev-node /dev/tun0

> As for this thread in general, it'd be really nice if people would not
> re-re-quote long messages

Apologies Ian, It is easy to forget about when gmail truncates the
bottom bit.


Hope this helps,
Richard Gallamore

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CANJ8om5GLVFZib4uPLgK4M2WW7HEeH8k5mHzo_S0hDN-D2CS=Q>