OpenVPN and policy routing
Andrea Venturoli
ml at netfence.it
Thu Mar 30 07:12:52 UTC 2017
On 03/30/17 05:22, Victor Sudakov wrote:
> Dear Colleagues,
>
> Anyone experienced with OpenVPN on FreeBSD?
>
> What would be the best way to policy route a network into OpenVPN? A
> routing decision must be based on the src IP address, not the dst IP
> address.
>
> Imagine an OpenVPN client with 3 interfaces: fxp0 is the outside
> interface towards the OpenVPN server, fxp1 is for LAN1 and fxp2 for
> LAN2.
>
> From LAN1, some private networks are reachable through OpenVPN
> (tun0), this is done via the regular route commands (pulled from the
> OpenVPN server).
>
> From LAN2, *everything* should be reachable only through OpenVPN.
> Which is the best way to accomplish this?
>
Possibly pf's "route-to" rules: I've used those in the past, but as I've
reported, sometimes pf gets stuck and only stopping and starting it
again unblocks the network.
Other ideas could be jails or setfib, but I've not thinked those out.
Maybe other people will come up with smarter ideas.
bye
av.
More information about the freebsd-net
mailing list