From owner-freebsd-questions@freebsd.org Sun Aug 27 17:42:49 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E1037DF47D3 for ; Sun, 27 Aug 2017 17:42:49 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: from mail-yw0-x22e.google.com (mail-yw0-x22e.google.com [IPv6:2607:f8b0:4002:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9E1C77D06A for ; Sun, 27 Aug 2017 17:42:49 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: by mail-yw0-x22e.google.com with SMTP id s143so19487067ywg.0 for ; Sun, 27 Aug 2017 10:42:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Ohsupg2yVVFGye+cGd4EFT35kJnr1we+P1gduQpc7og=; b=BM7r5FYqIsyrjoCxgoyiYwDMt6WNL3JB3oVLeQn9y7j1gLxexe9a8a1j9MzSw3vF5W IeIGnn3GrTvj2PysmXmcDs+yWsilb9aEBwK3gUjM99O2QRgh8ZHZ0RDqQr73QvVkp1WN ptc16h6W4p/6dnAl2uu80rflBGgo+Ar21U/fQ0t4PV7MncN0MiGqlRk8qOR4fxJEBtLX Qi6RgHq5By3MO0VQHCQ05eyirSPmS6xuIU1JwCjscGPVFaKQkDHku1+AddwOENukndJr WdHr8VPKB3cIARcejCia76CDgyl9fSIAAQ/ORlenScrqhiHWoY91cocsU071w/mWWGMk 25AA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Ohsupg2yVVFGye+cGd4EFT35kJnr1we+P1gduQpc7og=; b=gBIDLkyq+pWo6lEKuXGRlB/5GwAf8u7JQgaMDhuhSUc3NOIoFYgvzt+mv8Lm+uG95m fXxK8T1KQ6qG9Tg3cd64iXe69rlhVNUvva42ywoXqfB3T5ox721OO+E9PZQjvidCC3U7 ZKC/NVeLZhVfPgwo/4opJwnxsq2RDImIzKexmgA9ajaLd+zsD3d7T80iqyMWVGjyGhgp mkrQp34LsqW9ncKtjxwA0Z3ENAZnshOQwVlTy7kJPRQf0JyCdu8mCO61QVaL1MQIQftz xe+UKjdh5McVg3UKxIwXDc8WDHGZInR+ZHD3vtRNC8m4RiEVI2S4Ay6SsEnvg0On4HkX 1OhQ== X-Gm-Message-State: AHYfb5iIpOiXYAibBn02naANL3CdM3EB0IZy8mqDvj2GEKF5K5Myzqd7 hEi93uNoisi9l0Z7BXuHMx+0puaXfpm/6gs= X-Received: by 10.129.212.69 with SMTP id g5mr3800879ywl.7.1503855768488; Sun, 27 Aug 2017 10:42:48 -0700 (PDT) MIME-Version: 1.0 Received: by 10.13.231.71 with HTTP; Sun, 27 Aug 2017 10:42:47 -0700 (PDT) In-Reply-To: <20170827164229.W23641@sola.nimnet.asn.au> References: <20170827164229.W23641@sola.nimnet.asn.au> From: Ultima Date: Sun, 27 Aug 2017 10:42:47 -0700 Message-ID: Subject: Re: STUMPED: Setting up OpenVPN server on FreeBSD (self.freebsd) To: Ian Smith Cc: Fongaboo , FreeBSD Mailing List Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Aug 2017 17:42:50 -0000 >From pf.conf: > pass from { lo0, $localnet } to any keep state This rule would probably work if it was in proper order and contain "quick". It should also be in the --- INCOMING --- section. Normally pf will warn when the rules are out of order. lo0 should be removed as it has set skip, and I would change it to pass in. To sum it up: pf.conf: pass in quick from $localnet to any keep state Moved to the incoming section. The main issue is that the bottom default rule "block log all" triumphs over any rule defined above that does not contain the "quick" declaration. >From rc.conf: #gateway_enable="YES" This should be uncommented. When you use openvpn with this kind of configuration. I would check sysctl net.inet.ip.forwarding and make sure it is "1" which is essentially what gateway_enable does. In general I suggest changing a couple other things if you want the system to work after each restart. I find that relying on the :network translation in pf often can break things and is better to be hard coded where possible. It is also better to create the interface in rc.conf and give openvpn the interface instead of letting openvpn take care of all that. This can be done like so: rc.conf: cloned_interfaces="tun0" ifconfig_tun0="up" # This is probably not needed, but better to be safe. openvpn.conf: dev tun0 # I don't think this is needed with the below, but I prefer to be thorough dev-type tun dev-node /dev/tun0 > As for this thread in general, it'd be really nice if people would not > re-re-quote long messages Apologies Ian, It is easy to forget about when gmail truncates the bottom bit. Hope this helps, Richard Gallamore