Can you help me out here, please? I do not need a step-by-step guide, just a friendly kick in the right direction.
I have an OpenBSD gateway/router/networking server with two network interfaces in use: one for the external network (WAN) and one for my internal network (LAN).
On the internal side I have a bunch of clients including an OpenBSD server that serves both the outside world (currently http and ssh) and the inside (currently NFS).
I have used an OpenVPN client to create a VPN tunnel on the gateway, and that works fine, but I do not want all traffic to go through the tunnel. I want to exclude, for example, the web and shell services.
How should I think? Can I do this with only pf or do I need to make changes to the routing table?
If I create the tunnel, without any changes to my pf rule set, the web server stops to be accessible from the outside and the clients cannot access the outside; because the default route is changed, I guess.
If I change $wan_if from em0 to tun0 the clients can access the outside, but of course I cannot access the web server on the IP address that is assigned to em0 (I have not tried to access it through the IP address at tun0).
Is it just a matter of having dual NAT:ing for the two interfaces or will the replies take the default route no matter what? I did a test shot with an additional nat-to rule yesterday, but it did not work and then it was time for bed.