A way to load PF rules at startup using OpenVPN

Tue Jan 20 12:18:36 UTC 2015

Hello,

Thanks for the replies

> On 20 Jan 2015, at 11:16, krad <kraduk at gmail.com <mailto:kraduk at gmail.com>> wrote:
> 
> put this in your rc conf it may help
> 
> cloned_interfaces=“tun0"

That didn’t work either. Although the interface was created, still ‘pf’ was not able to start when I just created tun0 without starting OpenVPN.
I’m not sure if this problem can be reproduced elsewhere. I never had such issues with Linux iptables for example and googling around for a 2 days I didn’t find anyone else having the same issue on
any system, which is weird, because I’m sure that there are many *BSD + OpenVPN deployments.

> 
> that will create the interface early on way before openvpn is spawned. You
> may need to force openvpn to use tun0 as it might try to create tun1
> 
> On 20 January 2015 at 09:11, Maciej Suszko <maciej at suszko.eu <mailto:maciej at suszko.eu>> wrote:
> 
>> On Mon, 19 Jan 2015 18:53:40 +0200
>> Panagiotis Atmatzidis <atma at convalesco.org <mailto:atma at convalesco.org>> wrote:
>> 
>> [...]
>> 
>>> I think that this has something to do with ‘tun0’ interface which is
>>> the last thing that is loaded at boot. Probably PF runs before this,
>>> sees rules that it doesn’t understand (related to tun0) and comes up
>>> short, then tun0 is loaded but it’s too late.
>> 
>> That's simple to test, just destroy your tun device and check the
>> output of:
>> 
>> # pfctl -nvf /etc/pf.conf
>> --
>> regards, Maciej Suszko.
>> 
> _______________________________________________
> freebsd-questions at freebsd.org <mailto:freebsd-questions at freebsd.org> mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org <mailto:freebsd-questions-unsubscribe at freebsd.org>"

I resolved the issue by creating a devd conf file:

$ cat /etc/devd/tun.conf
# Run PF when tun0 is up
notify 0 {
	match "system"		"IFNET";
	match "subsystem"	"tun0";
	match "type"		"LINK_UP";
	action "/etc/rc.d/pf start";
};

This file makes sure ‘pf’ is executed right after ‘tun0’ interface is UP, which happens at boot anyway since openvpn is started by ‘rc.conf’. You need have ‘pf’ enabled in ‘rc.conf’ of course.

It works fine now on every reboot :-)

Thanks guys!

ps. A nice fella on #freeBSD at Freenode w/ nickname ‘frogs’ helped me with devd debugging.

Panagiotis (atmosx) Atmatzidis

email:	atma at convalesco.org <mailto:atma at convalesco.org>
URL:	http://www.convalesco.org <http://www.convalesco.org/>
GnuPG ID: 0x1A7BFEC5
gpg --keyserver pgp.mit.edu <http://pgp.mit.edu/> --recv-keys 1A7BFEC5

"As you set out for Ithaca, hope the voyage is a long one, full of adventure, full of discovery [...]" - C. P. Cavafy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20150120/0681b73d/attachment.sig>