Disclaimer: I'm not an OpenVPN user.
- OpenVPN uses UDP (or TCP if needed) to tunnel virtual networks between two end-point gateways, using X.509 certificates for authenticity and authority, and SSL/TLS encryption primitives between end-points. I
- It is implemented as a userland application, which can runs on many different OSes.
- On OpenBSD, it uses a tun(4) interface to pass network traffic into and out of the userland-based application.
If I understood the configuration in
afdruiprek's top post:
- The VPN gateway on the OpenBSD is provisioned to prevent all traffic on the local network from transiting to the Internet, while permitting only VPN traffic to pass. Something like this ASCII "graphic" logically, but not physically:
Code:
[Internal LAN (em1)] - [VPN Gateway (tun0)] - [Internet (em0)]
- In order for a device on the the internal LAN to reach the Internet, the device must have OpenVPN provisioned, and it must connect to the OpenVPN gateway on OpenBSD.
- When an OpenVPN client connects to an OpenVPN server, it updates routing tables on the client system so that the appropriate traffic is routed through the VPN. When the OpenVPN client disconnects from an OpenVPN server, its routing tables should revert to normal.
There are two parts to
afdruiprek's issue, if I understand it correctly.
- PF must pass the direct traffic for the device (as discussed in my first reply in this thread).
- OpenVPN use must be disabled for the device, so that it doesn't use it.