openvpn client on pf gateway

krad kraduk at gmail.com
Thu Nov 4 14:12:57 UTC 2010 

On 4 November 2010 10:15, Samuel Martín Moro <faust64 at gmail.com> wrote:

> Hi,
>
>
> I'm using a FreeBSD-8.1 (RELEASE, amd64) as gateway for my local network.
> And pf as firewall.
>
>
> I'm renting a dedicated box, running openvpn.
> My gateway is configured as a client of this VPN.
> I modified my pf.conf to provide internet to my local network.
> I configured iptables on the VPN server (debian-5) to accept everything,
> and
> redirect what I needed to.
>
> Everything seems to work... except...
>
> How can I redirect a port through the VPN?
> I mean...
> The problem does not seem to come from the VPN server, as I can access my
> local gateway from an external server, through the iptables redirection.
> But, when I try to access a host behind that gateway, it won't connect...
>
>
> Here's the pf.conf:
>
> ext_if="bge0"
> int_if="bge1"
> vpn_if="tun0"
>
> lc = $int_if:network
>  vpn="10.253.254.1"
>  emma="10.242.42.200"
> alpha="10.42.42.42"
> delta="10.42.42.44"
>   xi="10.42.142.44"
>
> set skip     on lo0
> scrub in     on $ext_if all fragment reassemble
> scrub in     on $vpn_if all fragment reassemble
> INTERNETZ
> nat          on $ext_if                 from $lc to any -> ($ext_if)
> nat          on $vpn_if                 from $lc to any -> ($vpn_if)
> rdr          on $ext_if inet proto tcp  from any to ($ext_if) port 1666 ->
> $alpha port 1666
> rdr          on $vpn_if inet proto tcp  from any to ($vpn_if) port 1666 ->
> $alpha port 1666
> rdr          on $ext_if inet proto tcp  from any to ($ext_if) port 1667 ->
> $delta port   22
> rdr          on $vpn_if inet proto tcp  from any to ($vpn_if) port 1667 ->
> $delta port   22
> rdr          on $ext_if inet proto tcp  from any to ($ext_if) port 1668 ->
> $alpha port   22
> rdr          on $vpn_if inet proto tcp  from any to ($vpn_if) port 1668 ->
> $alpha port   22
> rdr          on $ext_if inet proto tcp  from any to ($ext_if) port 1669 ->
> $xi    port   22
> rdr          on $vpn_if inet proto tcp  from any to ($vpn_if) port 1669 ->
> $xi    port   22
> rdr          on $ext_if inet proto tcp  from any to ($ext_if) port 9418 ->
> $xi    port 9418
> rdr          on $vpn_if inet proto tcp  from any to ($vpn_if) port 9418 ->
> $xi    port 9418
> pass  in     on $ext_if inet proto tcp  from any to $ext_if   port 1664
> pass  in     on $vpn_if inet proto tcp  from any to $vpn_if   port 1664
> pass  in     on $int_if inet proto tcp  from any to any
> pass  in     on $int_if inet proto udp  from any to any
> block in log on $ext_if inet proto icmp from any to $ext_if
> block in log on $vpn_if inet proto icmp from any to $vpn_if
>
> every rules for $ext_if is working as expected
> so I copied them, replacing my external interface by the vpn one
> ssh from internet to the gateway (1664) works.
> but accessing a ssh server behind the gateway (say alpha, 1668) does not...
>
>
> What am I doing wrong?
>
>
>
> Regards,
>
> --
> Samuel Martín Moro
> {EPITECH.} tek5
> CamTrace S.A.S
>  (+033) 1 41 38 37 60
>  1 Allée de la Venelle
>  92150 Suresnes
>  FRANCE
>
> "Nobody wants to say how this works.
>  Maybe nobody knows ..."
>                      Xorg.conf(5)
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
>


Im not sure if i understand you correctly but are you trying to forward
ports from your colo rented machine to boxes on your LAN via the openvpn
connection?

If you are and this is where the problem is, you probably need to be natting
on the colo boxes vpn interface (tun0). So you will need some iptables
config. Doing this avoids the asymetric routing and natting issue you will
be getting.

Basically if a packet enters your colo box (dst ip A) from client (B), your
coloe box will forward it down the tunnel to host C on a private ip. This
will respond, and create a packet to goto B. However when this packet will
have a public ip as a destination, so when it hits your pf firewall it will
probably get routed out of the default route, and not the vpn interface. As
its not a tcp syn it will most probably be dropped by pf. However if it isnt
it will be natted to the the public ip of your pf box. This is a problem as
this source address isnt the same as the destination address of the initial
packet generated by the client B. Therefore when it actually get to the
client it will just be dropped

Natting on the colo boxes vpn interface sorts all this out for you

More information about the freebsd-questions mailing list