View Single Post
  #1   (View Single Post)  
Old 16th January 2012
lasstoff lasstoff is offline
New User
 
Join Date: Jan 2012
Posts: 3
Default Openvpn pf/nat/route-to issue

I'm having a pf/nat/route-to problem with openbsd 4.6 and openvpn
2.1_rc15.

VPN setup works and I'm able to send (and receive data) when doing it
directly from my openbsd firewall:

# ping 192.36.171.154
Code:
PING 192.36.171.154 (192.36.171.154): 56 data bytes
64 bytes from 192.36.171.154: icmp_seq=0 ttl=60 time=21.692 ms
# tcpdump -ni tun0 icmp
Code:
tcpdump: listening on tun0, link-type EN10MB
22:56:59.951191 178.73.197.139 > 192.36.171.154: icmp: echo request
22:56:59.972697 192.36.171.154 > 178.73.197.139: icmp: echo reply
But when doing the same ping from a client behind my openbsd firewall it
fails. The really strange thing is that pflog0 says the packet is sent
out on tun0, but the tcpdump on tun0 never sees the icmp packet:

# tcpdump -ettt -ni pflog0
Code:
tcpdump: listening on pflog0, link-type PFLOG Jan 15 23:00:25.921497 rule 156.vpn.10/(match) pass in on vr2: 172.16.1.20 > 192.36.171.154: icmp: echo request (DF)
Jan 15 23:00:25.921558 rule 100/(match) pass out on tun0: 178.73.197.139 > > 192.36.171.154: icmp: echo request (DF)
# tcpdump -ni tun0 icmp
Code:
tcpdump: listening on tun0, link-type EN10MB
Any ideas anyone?



tun0 settings:
Code:
# ifconfig tun0
tun0: flags=9843<UP,BROADCAST,RUNNING,SIMPLEX,LINK0,MULTICAST> mtu 1500
        lladdr 00:bd:e2:30:c0:01
        priority: 0
        media: Ethernet autoselect
        status: active
        inet 178.73.197.139 netmask 0xffffff80 broadcast 178.73.197.255
        inet6 fe80::2bd:e2ff:fe30:c001%tun0 prefixlen 64 scopeid 0x7
relevant parts of pf.conf:
Code:
nat on tun0 from 172.16.1.0/24 to any -> tun0
pass in log quick on dmzif route-to tun0 inet proto icmp from 172.16.1.0/24 to any icmp-type echoreq tag VPN_TRAFFIC
pass out log quick on tun0 inet proto icmp from tun0 to any icmp-type echoreq tagged VPN_TRAFFIC

Code:
# sysctl -a | grep net.inet.ip.forwa
net.inet.ip.forwarding=1
parts of openvpn-config:
Code:
dev tun0
dev-type tap
Reply With Quote