Date: Thu, 30 Mar 2017 14:46:15 +0700 From: Victor Sudakov <vas@mpeks.tomsk.su> To: Andrea Venturoli <ml@netfence.it> Cc: freebsd-net@freebsd.org Subject: Re: OpenVPN and policy routing Message-ID: <20170330074615.GA25049@admin.sibptus.transneft.ru> In-Reply-To: <81f24563-1abb-e804-d2a3-7fa772a0c78d@netfence.it> References: <20170330032222.GA18053@admin.sibptus.transneft.ru> <81f24563-1abb-e804-d2a3-7fa772a0c78d@netfence.it>
next in thread | previous in thread | raw e-mail | index | archive | help
Andrea Venturoli wrote: > > > > Anyone experienced with OpenVPN on FreeBSD? > > > > What would be the best way to policy route a network into OpenVPN? A > > routing decision must be based on the src IP address, not the dst IP > > address. > > > > Imagine an OpenVPN client with 3 interfaces: fxp0 is the outside > > interface towards the OpenVPN server, fxp1 is for LAN1 and fxp2 for > > LAN2. > > > > From LAN1, some private networks are reachable through OpenVPN > > (tun0), this is done via the regular route commands (pulled from the > > OpenVPN server). > > > > From LAN2, *everything* should be reachable only through OpenVPN. > > Which is the best way to accomplish this? > > > > Possibly pf's "route-to" rules: I've used those in the past, but as I've > reported, sometimes pf gets stuck and only stopping and starting it > again unblocks the network. Will "ipfw fwd" do the trick? I could "ipfw fwd" the packets into the tun0 interface, but will OpenVPN understand that? > > Other ideas could be jails or setfib, but I've not thinked those out. > Of course, fxp2 could be placed in a dedicated fib, but I need fxp0 and fxp1 to remain in the main fib, and which fib will tun0 be in ? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN AS43859
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170330074615.GA25049>