STUMPED: Setting up OpenVPN server on FreeBSD (self.freebsd)

Ultima ultima1252 at
Sun Aug 27 17:42:50 UTC 2017

>From pf.conf:
> pass from { lo0, $localnet } to any keep state
This rule would probably work if it was in proper order and contain
"quick". It should also be in the --- INCOMING --- section.
Normally pf will warn when the rules are out of order. lo0 should
be removed as it has set skip, and I would change it to pass in.
To sum it up:

pass in quick from $localnet to any keep state

Moved to the incoming section.

The main issue is that the bottom default rule "block log all"
triumphs over any rule defined above that does not contain the
"quick" declaration.

>From rc.conf:
This should be uncommented. When you use openvpn with this
kind of configuration. I would check sysctl net.inet.ip.forwarding
and make sure it is "1" which is essentially what gateway_enable

In general I suggest changing a couple other things if you want the
system to work after each restart. I find that relying on the :network
translation in pf often can break things and is better to be hard
coded where possible. It is also better to create the interface in
rc.conf and give openvpn the interface instead of letting openvpn
take care of all that. This can be done like so:

ifconfig_tun0="up" # This is probably not needed, but better to be safe.

dev tun0 # I don't think this is needed with the below, but I prefer to
be thorough
dev-type tun
dev-node /dev/tun0

> As for this thread in general, it'd be really nice if people would not
> re-re-quote long messages

Apologies Ian, It is easy to forget about when gmail truncates the
bottom bit.

Hope this helps,
Richard Gallamore

More information about the freebsd-questions mailing list