OpenVPN and policy routing
Victor Sudakov
vas at mpeks.tomsk.su
Thu Mar 30 07:46:21 UTC 2017
Andrea Venturoli wrote:
> >
> > Anyone experienced with OpenVPN on FreeBSD?
> >
> > What would be the best way to policy route a network into OpenVPN? A
> > routing decision must be based on the src IP address, not the dst IP
> > address.
> >
> > Imagine an OpenVPN client with 3 interfaces: fxp0 is the outside
> > interface towards the OpenVPN server, fxp1 is for LAN1 and fxp2 for
> > LAN2.
> >
> > From LAN1, some private networks are reachable through OpenVPN
> > (tun0), this is done via the regular route commands (pulled from the
> > OpenVPN server).
> >
> > From LAN2, *everything* should be reachable only through OpenVPN.
> > Which is the best way to accomplish this?
> >
>
> Possibly pf's "route-to" rules: I've used those in the past, but as I've
> reported, sometimes pf gets stuck and only stopping and starting it
> again unblocks the network.
Will "ipfw fwd" do the trick? I could "ipfw fwd" the packets into the
tun0 interface, but will OpenVPN understand that?
>
> Other ideas could be jails or setfib, but I've not thinked those out.
>
Of course, fxp2 could be placed in a dedicated fib, but I need fxp0 and
fxp1 to remain in the main fib, and which fib will tun0 be in ?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
AS43859
More information about the freebsd-net
mailing list