Thread: pf.conf help?
View Single Post
  #24   (View Single Post)  
Old 25th January 2018
Prevet Prevet is offline
Shell Scout
  
Join Date: Oct 2017
Posts: 84
Default
These are my notes. They are not complete. I refer to the books to get other information.. If you use them and screw up, its your funeral.

I have not tested torrenting with these rules, as I couldn't be bothered after the trouble I went to get this far. I only set it up to work on my desktop machine, so I don't know if it will work in a router type situation.

These notes will only give you clues to help you though roadblocks if you read the books I mentioned, as well as related man files. If you don't read up on this, you will have no clue what it all means. I don't have a clue either and I read everything there was to read. lol

If you get tired of trying take my advice in the post above. Install an operating system a VPN makes a GUI client for that does all this for you and get on with your life. If your VPN does not make such a client, cut your losses with them and find one that does.

Even them writing 3 little files you need to use OpenBSD safely can't be that hard for them can it? If they won't do that much for you. they obviously don't need your business.

Fix DNS Leaks For OpenBSD And AirVPN

https://airvpn.org/topic/22329-openbsd/

https://www.openbsd.org/faq/faq6.html#DHCP

1. Get AirVPN's DNS server addresses here:

https://airvpn.org/specs/

1. Add the following line to /ect/dhclient.conf:

supersede domain-name-servers 1.2.3.4;

(1.2.3.4 is a junk DNS address that will be inserted in resolv.conf)

2. Add the AirVPN DNS addresses to /ect/resolv.conf.tail

nameserver 10.4.0.1
nameserver 10.5.0.1

(The contends of this file will be appended to resolv.conf)

3. This command rewrites the resolv.conf file with the above values:

dhclient em0

em0 is the interface from hostname.em0

OpenVPN

Change the ownership and permissions of the OpenVPN configuration
and credential files, so only root has read-only access to them.

# chown root:wheel /etc/openvpn/*.ovpn
# chmod 400 /etc/openvpn/*.ovpn

MY PF Rule for AIRVPN

The first link is where I got the main fragment. My pf file has a version of it pasted at the bottom of the original one. Or perhaps it should be at the top? You better read The Book of PF or you will not know.l

https://airvpn.org/topic/1713-win-ma...nbsd#entry1764

https://www.openbsd.org/faq/pf/index.html

"Various Internet bodies have set aside three subnets for use on private
networks. You cannot use them on the public Internet, but anybody can use
them on a private network. The networks 10.0.0.0/8, 172.16.0.0/12, and
192.168.0.0/16 are freely usable by organizations. You’ll see these
addresses in huge organizations and home networks, and have probably
encountered some of them already. These addresses are also globally
unique, within your organization. Your hosts should never see these
addresses elsewhere, and other networks should never see these addresses
on your network." - From Networking for Systems Administrators, by Michael Lucas


"The following very basic rules would block all traffic outside the tunnel
(edit with any text editor /etc/pf.conf) assuming that your ethernet or wifi
interface has the address 192.168.*.* and that the tun interface used by
OpenVPN is tun0:"

block out on <your_network_interface> from 192.168.0.0/16 to any
pass out quick on <your_network_interface> from 192.168.0.0/16 to <AirVPN_server_entry_IP>
pass out quick on tun0 from any to any

Note the IP address in OpenVPN is slightly different to the one reported in the webpage that tests leaks. You want the one OpenVPN reports obviously.
# The OpenVPN IP for each server is marked by: [AF_INET]

For my machine:
block out on em0 from 192.168.0.0/16 to any
pass out quick on em0 from 192.168.0.0/16 to <insert 1st vpn server IP here>
pass out quick on em0 from 192.168.0.0/16 to <insert 2nd vpn server IP here>
pass out quick on em0 from 192.168.0.0/16 to <insert 3rd vpn server IP here>
pass out quick on em0 from 192.168.0.0/16 to <insert 4th vpn server IP here>
pass out quick on tun0 from any to any

Then execute

pfctl -e
pfctl -f /etc/pf.conf

to enable pf and load your ruleset.

If the connection drops, no packets will go out, so you will only be able to
reconnect to the VPN and nothing else until you disable pf with

pfctl -d

Read the man page for pfctl
Last edited by Prevet; 25th January 2018 at 10:26 AM.
Reply With Quote