Thread: pf.conf help?
View Single Post
  #25   (View Single Post)  
Old 26th January 2018
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
  
Join Date: May 2008
Location: USA
Posts: 7,984
Default
Quote:
Originally Posted by ucharfli View Post
Yes, DHCP.

file ProtonVPN.ovpn
Code:
client
dev tun
proto tcp

<connection>
remote jp-free-01.protonvpn.com 443
</connection>

<connection>
remote nl-free-01.protonvpn.com 443
</connection>
.
.
.
As currently configured, I see two types of communication that are required outside of your VPN, as they are needed to connect to the VPN. If you block all traffic other than over VPN, you must (at this time) still permit the direct passing of these communications:
  1. DHCP. This protocol uses UDP ports 67 and 68 to assign the client -- your system -- with an IP address, and to provision netmask, routing, and domain name services. As your workstation is configured to use DHCP, you must permit this traffic to obtain a network connection.
  2. Domain Name Resolution. This translates domain names to IP addresses, via UDP port 53. Large responses (greater than 512 bytes) use TCP, so TCP port 53 should also be permitted. This is needed in order to resolve all of the domain names in your OpenVPN configuration into IP addresses.
The VPN "tunnel" connections must also be permitted to flow. As configured, these are TCP connections to a variety of servers, using the destination port 443. This is the same port number used for by the HTTPS protocol, and your service provider may have selected it because most firewalls will not hinder this traffic.

A PF configuration can be established with a default block of all traffic, then permitting this select traffic to be passed. There are some considerations:
  • Domain traffic (UDP and TCP port 53) can be allowed to be passed to any destination, or, passed only to specific domain name servers. This latter choice will prohibit the use of untrusted domain name servers, as well as making it difficult to use port 53 for other purposes.
  • Your VPN traffic cannot be easily discerned from HTTPS traffic, since they share the same destination port number and the same underlying protocol, TCP. There are ways to classify them so that PF can choose to pass or block correctly. The options available vary depending on whether the OpenVPN client is being run on a workstation or on a gateway router.
  • PF is a kernel function, and does not do domain name resolution. The pfctl(8) management tool will resolve domain names when it loads the rules. This will complicate the boot process, since PF rules are first loaded before access to a resolver has been established.
Quote:
I can change domain names to IP. No problem.!
That would simplify PF rules at boot, though it may complicate your life if your service provider re-addresses their VPN servers.
Reply With Quote