From owner-freebsd-net@freebsd.org  Thu Mar 30 07:12:51 2017
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id F1FEBD25A36
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Thu, 30 Mar 2017 07:12:51 +0000 (UTC) (envelope-from ml@netfence.it)
Received: from smtp207.alice.it (smtp207.alice.it [82.57.200.103])
 by mx1.freebsd.org (Postfix) with ESMTP id 89DF6783
 for <freebsd-net@freebsd.org>; Thu, 30 Mar 2017 07:12:51 +0000 (UTC)
 (envelope-from ml@netfence.it)
Received: from soth.ventu (82.52.25.226) by smtp207.alice.it (8.6.060.28)
 (authenticated as acanedi@alice.it)
 id 588F42830BE1F6F6; Thu, 30 Mar 2017 09:12:27 +0200
Received: from alamar.ventu (alamar.local.netfence.it [10.1.2.18])
 by soth.ventu (8.15.2/8.15.2) with ESMTP id v2U7CQrm032368;
 Thu, 30 Mar 2017 09:12:29 +0200 (CEST) (envelope-from ml@netfence.it)
X-Authentication-Warning: soth.ventu: Host alamar.local.netfence.it
 [10.1.2.18] claimed to be alamar.ventu
Subject: Re: OpenVPN and policy routing
To: Victor Sudakov <vas@mpeks.tomsk.su>, freebsd-net@freebsd.org
References: <20170330032222.GA18053@admin.sibptus.transneft.ru>
From: Andrea Venturoli <ml@netfence.it>
Message-ID: <81f24563-1abb-e804-d2a3-7fa772a0c78d@netfence.it>
Date: Thu, 30 Mar 2017 09:12:23 +0200
User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:52.0) Gecko/20100101
 Thunderbird/52.0
MIME-Version: 1.0
In-Reply-To: <20170330032222.GA18053@admin.sibptus.transneft.ru>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2017 07:12:52 -0000

On 03/30/17 05:22, Victor Sudakov wrote:
> Dear Colleagues,
> 
> Anyone experienced with OpenVPN on FreeBSD?
> 
> What would be the best way to policy route a network into OpenVPN? A
> routing decision must be based on the src IP address, not the dst IP
> address.
> 
> Imagine an OpenVPN client with 3 interfaces: fxp0 is the outside
> interface towards the OpenVPN server, fxp1 is for LAN1 and fxp2 for
> LAN2.
> 
>   From LAN1, some private networks are reachable through OpenVPN
> (tun0), this is done via the regular route commands (pulled from the
> OpenVPN server).
> 
>   From LAN2, *everything* should be reachable only through OpenVPN.
> Which is the best way to accomplish this?
> 

Possibly pf's "route-to" rules: I've used those in the past, but as I've 
reported, sometimes pf gets stuck and only stopping and starting it 
again unblocks the network.

Other ideas could be jails or setfib, but I've not thinked those out.

Maybe other people will come up with smarter ideas.

  bye
	av.