From owner-freebsd-questions@FreeBSD.ORG Sun Jul 8 12:25:45 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8E4591065670 for ; Sun, 8 Jul 2012 12:25:45 +0000 (UTC) (envelope-from jeffhedges79@yahoo.com) Received: from nm1-vm0.bullet.mail.ird.yahoo.com (nm1-vm0.bullet.mail.ird.yahoo.com [77.238.189.95]) by mx1.freebsd.org (Postfix) with SMTP id D81708FC08 for ; Sun, 8 Jul 2012 12:25:44 +0000 (UTC) Received: from [77.238.189.233] by nm1.bullet.mail.ird.yahoo.com with NNFMP; 08 Jul 2012 12:25:37 -0000 Received: from [212.82.108.237] by tm14.bullet.mail.ird.yahoo.com with NNFMP; 08 Jul 2012 12:25:37 -0000 Received: from [127.0.0.1] by omp1002.mail.ird.yahoo.com with NNFMP; 08 Jul 2012 12:25:37 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 818201.56930.bm@omp1002.mail.ird.yahoo.com Received: (qmail 39200 invoked by uid 60001); 8 Jul 2012 12:25:37 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1341750337; bh=nT6G9JVxApWZlpeeTDl54cvrFrNw1ule78lqx6INu/U=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=AAXcDVuhGvsLarh93fIAgzKCSbjFBtuaYbc227mAB6oPg2LZEu7duGH+7W07/Llr04ThMOR90uuDWCbJeU4Fju0qDoT7MfyoS/l9XFhH8tkQmURg3nQtWb3kXcXKQ+hYL4nVNiAF7SB27LXA7lcEiJcqYB3lVijPRzqhGRSTZHo= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=ky1Y+1K4j23IhVxvzXcnAzw1MbMcijdQqZs0qH3wbFHw4XO7hradNRsrF/o44u+mF8VHwZW/9TKYz2xUbg3jM/i6hNQBU9ku6VR0X+5/ujR4kwp8rAYbv637AnpWcUdNp2Us0mtrYSX0pDOfrpiDk1MHfkPfFo8//pw2YSYvIRM=; X-YMail-OSG: SfrqXAAVM1kCuvrK2Psc_siH0suQz99Yof6YusfNDC2_FOV s9_yHYC7IUHOE5YdJKyQEc8gR2sSPetXfU_ytUINGhAWQqrHbzWucrI5aAkP _bxy01Isshilkp6XHAwzRb9XKCKJ7hw_xUC.CX72lPGzSeZx_71RmlcStEUY t.RxXkp4jEVzv1T72t80LCwJmjMwWxy81ywWu_1kLAp7HU9Rf1cWH4l4XAKw prYBlGoAobN6AT3v.4Z5BJYBffLNNq34SVAM2KqsvAgUirRqcP.1k1989kOo 8pOXJaf7Hueh.5RJYnJiJX_eDljX8t2E.pz6c8l4nUayBrOxrtSyaYCH9aPA sO.SWLBkVEMnekgYdnA997eekaKiWGSEXG0TlbHNVw6LZD5vaqP6fvR0TY19 EAIyisWS2S_jFJ9uIPa11dFN56qAp5RM8ZznYKS0NemPpUV6vsSmrmIS5Q8q 03na29n8RnUkmNg-- Received: from [78.143.208.219] by web171204.mail.ir2.yahoo.com via HTTP; Sun, 08 Jul 2012 13:25:37 BST X-Mailer: YahooMailWebService/0.8.118.349524 Message-ID: <1341750337.36593.YahooMailNeo@web171204.mail.ir2.yahoo.com> Date: Sun, 8 Jul 2012 13:25:37 +0100 (BST) From: Jeff Hedges To: "freebsd-questions@freebsd.org" MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Working openvpn/pf configuration broken on upgrade from 8.3 to 9.0 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Jeff Hedges List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jul 2012 12:25:45 -0000 =0A=0AHi.=0A=0AI'm running a small VPN for ~10 office users. Upon upgrading= the machine from 8.3 to 9.0 yesterday, it became=0Aimpossible for users to= connect to the VPN. I've tried everything I can think of to track down the= problem and it=0Aseems (although I may be mistaken) to be something to do = with pf and a redirect rule. Here is the pf.conf on=0Athe machine:=0A=0A--%= <--=0A=0Anic_wan =3D fxp0=0Anic_dmz =3D fxp2=0Anic_tun =3D tun0 =0A# Perfor= m NAT for outgoing connections from the DMZ=0Anat log on $nic_wan from $nic= _dmz:network to any -> ($nic_wan)=0A=0A# Redirect incoming openvpn clients = from the WAN to the openvpn server=0Ardr log on $nic_wan proto udp from any= to any port 11940 -> 10.2.0.1 port 11940=0A=0Apass log all=0A=0A--%<--=0A= =0AThe fxp0 interface is connected directly so a small DSL modem that simpl= y forwards everything=0Ato this machine (no NAT, no filtering, etc). The fx= p0 has one address: 1.0.0.2.=0A=0AThe openvpn daemon is listening on 10.2.0= .1, which is the only IP bound to the fxp2 interface.=0A=0AHere is where th= e madness starts:=0A=0ARunning tcpdump on fxp0 and pflog0 shows the followi= ng when a remote user x.x.x.x connects:=0A=0Afxp0: 00:00:00.443090 00:50:7f= :21:67:94 > 00:d0:b7:40:4b:31, IPv4, length 96: x.x.x.x.11940 > 10.0.0.2.11= 940: UDP, length 54=0Apflog0: 00:00:16.820380 rule 0..16777216/0(match): pa= ss in on fxp0: x.x.x.x.11940 > 10.2.0.1.11940: UDP, length 54 =0ASo, packet= s come in fxp0 from x.x.x.x and then after the rdr rule, they're sent to 1.= 2.0.1:11940.=0A=0AHowever, the openvpn server log shows nothing, even at th= e highest verbosity settings. The connecting=0Aclient eventually receives a= "handshake timed out" message and either gives up or tries again.=0A=0AUsi= ng nc, it's possible to see that packets *are* getting through:=0A=0A$ nc -= u -vvv example.com 11940=0AConnection to example.com 11940 port [udp/*] suc= ceeded!=0A=0AThe openvpn server log then shows a TLS handshake error (as ex= pected, as nc obviously isn't performing a TLS=0Ahandshake).=0A=0AIf I, fro= m inside the DMZ, try to connect an openvpn client to the server, the conne= ction immediately=0Asucceeds and everything works correctly. Therefore, I b= elieve that the 'rdr' rule in the pf.conf=0Ais probably to blame and that s= omething pretty fundamental has changed between 8.3 and 9.0. From=0Athe biz= arre behaviour (letting packets through but apparently "damaged" in some wa= y), I'm guessing=0Athat this is a bug.=0A=0ADoes anyone have any idea how I= can track down what's going on?=0A