DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Packages and Ports

OpenBSD Packages and Ports Installation and upgrading of packages and ports on OpenBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 1st February 2011
Emile Emile is offline
Port Guard
 
Join Date: Feb 2011
Posts: 25
Thanked 0 Times in 0 Posts
Default Does pf conflict with OpenVPN?

I pkg_added openvpn and am testing it out with a VPN service. So I copied the client.ovpn and cert.dat to /etc/openvpn/.

Here is the config:

Code:
# VPN client config
ns-cert-type server
tls-client
pull
verb 3
tls-timeout 6
cipher BF-CBC
keysize 256
pkcs12 cert.dat
keepalive 30 120
hand-window 120
route-delay 2
persist-tun
persist-key
redirect-gateway def1
remote-random
route-metric 2
route-method exe
dev tun0
topology subnet
<connection>
proto tcp-client
remote [vpn url] [vpn port]
remote [vpn IP] [vpn port]
connect-retry 10
</connection>
<connection>
proto udp
remote [vpn url] [vpn port]
remote [vpn IP] [vpn port]
</connection>
The bolded options within brackets are information I substituted accordingly as to not spam/advertise the VPN service.

I changed a couple things: I changed "dev tun" to "dev tun0" for OpenBSD, and I deleted the last line of the config which was "win-sys 'env'" because I got an error about it and removing it seemed safe.

So here I am starting it up:

Code:
$ sudo openvpn client.ovpn 
Tue Feb  1 10:47:09 2011 OpenVPN 2.1.0 i386-unknown-openbsd4.8 [SSL] [LZO2] built on Aug 10 2010
Tue Feb  1 10:47:09 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Feb  1 10:47:09 2011 WARNING: file 'cert.dat' is group or others accessible
Tue Feb  1 10:47:09 2011 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Feb  1 10:47:09 2011 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Tue Feb  1 10:47:09 2011 Local Options hash (VER=V4): 'bf6006bf'
Tue Feb  1 10:47:09 2011 Expected Remote Options hash (VER=V4): '3ce6ab7f'
Tue Feb  1 10:47:09 2011 Attempting to establish TCP connection with [VPN IP]:[VPN port] [nonblock]
Tue Feb  1 10:47:10 2011 TCP connection established with [VPN IP]:[VPN port]
Tue Feb  1 10:47:10 2011 Socket Buffers: R=[16384->65536] S=[16384->65536]
Tue Feb  1 10:47:10 2011 TCPv4_CLIENT link local: [undef]
Tue Feb  1 10:47:10 2011 TCPv4_CLIENT link remote: [VPN IP]:[VPN port]
Tue Feb  1 10:47:10 2011 TLS: Initial packet from [VPN IP]:[VPN port], sid=33085865 6f786d04
Tue Feb  1 10:47:12 2011 VERIFY OK: depth=1, /C=US/ST=NY/L=New_York/O=example.com/CN=example.com_CA/emailAddress=admin@example.com
Tue Feb  1 10:47:12 2011 VERIFY OK: nsCertType=SERVER
Tue Feb  1 10:47:12 2011 VERIFY OK: depth=0, /C=US/ST=NY/L=New_York/O=example.com/CN=server/emailAddress=admin@example.com
Tue Feb  1 10:47:16 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 256 bit key
Tue Feb  1 10:47:16 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb  1 10:47:16 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 256 bit key
Tue Feb  1 10:47:16 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb  1 10:47:16 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Tue Feb  1 10:47:16 2011 [server] Peer Connection Initiated with [VPN IP]:[VPN port]
Tue Feb  1 10:47:19 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Feb  1 10:47:19 2011 PUSH: Received control message: 'PUSH_REPLY,route 10.100.1.0 255.255.255.0,redirect-gateway,dhcp-option DNS 10.100.1.1,route-gateway 10.100.1.1,topology subnet,ping 120,ping-restart 360,socket-flags TCP_NODELAY,ifconfig 10.100.1.9 255.255.255.0'
Tue Feb  1 10:47:19 2011 OPTIONS IMPORT: timers and/or timeouts modified
Tue Feb  1 10:47:19 2011 OPTIONS IMPORT: --socket-flags option modified
Tue Feb  1 10:47:19 2011 NOTE: setsockopt TCP_NODELAY=1 failed (No kernel support)
Tue Feb  1 10:47:19 2011 OPTIONS IMPORT: --ifconfig/up options modified
Tue Feb  1 10:47:19 2011 OPTIONS IMPORT: route options modified
Tue Feb  1 10:47:19 2011 OPTIONS IMPORT: route-related options modified
Tue Feb  1 10:47:19 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Feb  1 10:47:19 2011 ROUTE default_gateway=192.168.1.1
Tue Feb  1 10:47:19 2011 /sbin/ifconfig tun0 destroy
Tue Feb  1 10:47:19 2011 /sbin/ifconfig tun0 create
Tue Feb  1 10:47:19 2011 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
Tue Feb  1 10:47:19 2011 /sbin/ifconfig tun0 10.100.1.9 netmask 255.255.255.0 mtu 1500 broadcast 10.100.1.255 link0
Tue Feb  1 10:47:19 2011 TUN/TAP device /dev/tun0 opened
Tue Feb  1 10:47:21 2011 /sbin/route add -net [VPN IP] 192.168.1.1 -netmask 255.255.255.255
add net [VPN IP]: gateway 192.168.1.1
Tue Feb  1 10:47:21 2011 /sbin/route add -net 0.0.0.0 10.100.1.1 -netmask 128.0.0.0
add net 0.0.0.0: gateway 10.100.1.1
Tue Feb  1 10:47:21 2011 /sbin/route add -net 128.0.0.0 10.100.1.1 -netmask 128.0.0.0
add net 128.0.0.0: gateway 10.100.1.1
Tue Feb  1 10:47:21 2011 /sbin/route add -net 10.100.1.0 10.100.1.1 -netmask 255.255.255.0
add net 10.100.1.0: gateway 10.100.1.1
Tue Feb  1 10:47:21 2011 Initialization Sequence Completed
So it seems successful there, but once connected I do not seem to have internet access.

Here is me attempting to ping Google:

Code:
$ ping google.com
PING google.com (74.125.79.99): 56 data bytes
ping: sendto: No route to host
ping: wrote google.com 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote google.com 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote google.com 64 chars, ret=-1
--- google.com ping statistics ---
9 packets transmitted, 0 packets received, 100.0% packet loss
What can I do to debug the situation and find out what's preventing my access to the internet?

At first I was inclined to believe it had something to do with pf but I'm not sure. Could it be an issue with pf? If not, what else can I do to figure out the issue? (I am currently attempting to contact the VPN provider but they only support Windows, Mac, and Linux.)

Last edited by Emile; 1st February 2011 at 07:12 PM.
Reply With Quote
  #2   (View Single Post)  
Old 1st February 2011
J65nko J65nko is online now
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,193
Thanked 182 Times in 149 Posts
Default

If you use a block log all in your pf.conf, the blocked packets will be logged to /dev/pflog0. You can view these with running tcpdump:
Code:
# tcpdump -eni /dev/pflog0
I recommend doing that first, and see whether that gives any clue.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 1st February 2011
Emile Emile is offline
Port Guard
 
Join Date: Feb 2011
Posts: 25
Thanked 0 Times in 0 Posts
Default

I'd also like to mention that this is almost a default install...with just OpenVPN, Firefox, and scrotwm on it. Also I patched it to -stable. I don't know pf syntax so I left it alone as it is, but I read somewhere that starting with a certain version of OpenBSD, it was enabled by default. So I think right now it allows all traffic.

In any case, it might be my lack of pf skill but I added block log all to the bottom of my pf.conf (that's correct, right?) and ran OpenVPN accordingly...I tried to ping Google and also browse to Yahoo, then stopped the VPN.

I did this:
Code:
$ sudo tcpdump -eni /dev/pflog0
tcpdump: Failed to open bpf device for /dev/pflog0: Device not configured
I'm not sure how to go about inspecting packets in this way. What should I be doing?

Last edited by Emile; 1st February 2011 at 07:40 PM.
Reply With Quote
  #4   (View Single Post)  
Old 1st February 2011
J65nko J65nko is online now
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,193
Thanked 182 Times in 149 Posts
Default

Do a sudo pfctl -sr to show the rules. If you don't see the block rule, you added, you forgot to reload pf with
Code:
# pfctl -vvf /etc/pf.conf
A reload will usually create/configure a pflog0 device.

You can check that with:
Code:
$ ifconfig pflog0

pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33160
        priority: 0
        groups: pflog
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 1st February 2011
Emile Emile is offline
Port Guard
 
Join Date: Feb 2011
Posts: 25
Thanked 0 Times in 0 Posts
Default

On another thought, I had to remove some metadata (the ^M character) from the config file. Is it possible that the cert.key might be messed up from this too?

Anyway, back on the topic:

Code:
$ sudo pfctl -vvf /etc/pf.conf
Loaded 696 passive OS fingerprints
set skip on { lo }
@0 pass all flags S/SA keep state
@1 block drop in on ! lo0 proto tcp from any to any port 6000:6010
@2 block drop log all

$ ifconfig pflog0
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33200
        priority: 0
        groups: pflog

$ sudo openvpn client.ovpn
Tue Feb  1 14:15:47 2011 OpenVPN 2.1.0 i386-unknown-openbsd4.8 [SSL] [LZO2] built on Aug 10 2010
Tue Feb  1 14:15:47 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Feb  1 14:15:47 2011 WARNING: file 'cert.dat' is group or others accessible
Tue Feb  1 14:15:47 2011 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Feb  1 14:15:47 2011 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Tue Feb  1 14:15:47 2011 Local Options hash (VER=V4): '91138c76'
Tue Feb  1 14:15:47 2011 Expected Remote Options hash (VER=V4): 'f5a300ca'
Tue Feb  1 14:15:47 2011 Socket Buffers: R=[41600->65536] S=[9216->65536]
Tue Feb  1 14:15:47 2011 UDPv4 link local (bound): [undef]:1194
Tue Feb  1 14:15:47 2011 UDPv4 link remote: [VPN IP]:[VPN port]
Tue Feb  1 14:15:47 2011 write UDPv4: No route to host (code=65)
Tue Feb  1 14:15:53 2011 write UDPv4: No route to host (code=65)

etc.

$ sudo tcpdump -eni /dev/pflog0 
tcpdump: Failed to open bpf device for /dev/pflog0: Device not configured

$ ifconfig pflog0
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33200
        priority: 0
        groups: pflog
I don't understand...?
Reply With Quote
  #6   (View Single Post)  
Old 1st February 2011
J65nko J65nko is online now
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,193
Thanked 182 Times in 149 Posts
Default

I have to apologize. I made a mistake in the syntax
The proper syntax is:

Code:
$ sudo tcpdump -eni pflog0
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #7   (View Single Post)  
Old 1st February 2011
Emile Emile is offline
Port Guard
 
Join Date: Feb 2011
Posts: 25
Thanked 0 Times in 0 Posts
Default

Alright, so without the block log all rule, I fired up tcpdump and it didn't catch anything at all while I connected to the VPN or when I tried to ping/browse to any website after I was "connected". So I doubt it's pf, then I have no idea what's wrong with this OpenVPN/OpenBSD setup...

And here it is with the rule on:

Code:
$ sudo openvpn client.ovpn 
Tue Feb  1 14:30:50 2011 OpenVPN 2.1.0 i386-unknown-openbsd4.8 [SSL] [LZO2] built on Aug 10 2010
Tue Feb  1 14:30:50 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Feb  1 14:30:50 2011 WARNING: file 'cert.dat' is group or others accessible
Tue Feb  1 14:30:50 2011 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Feb  1 14:30:50 2011 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Tue Feb  1 14:30:50 2011 Local Options hash (VER=V4): 'bf6006bf'
Tue Feb  1 14:30:50 2011 Expected Remote Options hash (VER=V4): '3ce6ab7f'
Tue Feb  1 14:30:50 2011 Attempting to establish TCP connection with [VPN IP]:[VPN port] [nonblock]
Tue Feb  1 14:30:50 2011 TCP: connect to [VPN IP]:[VPN port] failed, will try again in 10 seconds: No route to host
Tue Feb  1 14:30:50 2011 SIGUSR1[soft,init_instance] received, process restarting
Tue Feb  1 14:30:50 2011 Restart pause, 2 second(s)
Tue Feb  1 14:30:52 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Feb  1 14:30:52 2011 Re-using SSL/TLS context
Tue Feb  1 14:30:52 2011 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Feb  1 14:30:52 2011 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Tue Feb  1 14:30:52 2011 Local Options hash (VER=V4): '91138c76'
Tue Feb  1 14:30:52 2011 Expected Remote Options hash (VER=V4): 'f5a300ca'
Tue Feb  1 14:30:52 2011 Socket Buffers: R=[41600->65536] S=[9216->65536]
Tue Feb  1 14:30:52 2011 UDPv4 link local (bound): [undef]:1194
Tue Feb  1 14:30:52 2011 UDPv4 link remote: [VPN IP]:[VPN port]
Tue Feb  1 14:30:52 2011 write UDPv4: No route to host (code=65)
Tue Feb  1 14:30:58 2011 write UDPv4: No route to host (code=65)
Tue Feb  1 14:31:04 2011 write UDPv4: No route to host (code=65)
Tue Feb  1 14:31:10 2011 write UDPv4: No route to host (code=65)
tcpdump:
Code:
$ sudo tcpdump -eni pflog0
tcpdump: listening on pflog0, link-type PFLOG
14:30:50.529549 rule 2/(match) block out on nfe0: 192.168.1.4.43665 > [VPN IP]:[VPN port]: S 2351877163:2351877163(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp]> (DF)
14:30:52.538155 rule 2/(match) block out on nfe0: 192.168.1.4.1194 > [VPN IP]:[VPN port]: udp 14
14:30:58.787580 rule 2/(match) block out on nfe0: 192.168.1.4.1194 > [VPN IP]:[VPN port]: udp 14
14:31:04.677419 rule 2/(match) block out on nfe0: 192.168.1.4.1194 > [VPN IP]:[VPN port]: udp 14
14:31:10.027260 rule 2/(match) block out on nfe0: 192.168.1.4.1194 > [VPN IP]:[VPN port]: udp 14
^C
5 packets received by filter
0 packets dropped by kernel
(nfe0 is my network card and 192.168.1.4 is my IP from my home router.)
Reply With Quote
  #8   (View Single Post)  
Old 1st February 2011
J65nko J65nko is online now
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,193
Thanked 182 Times in 149 Posts
Default

Packets are being blocked. The first one is the first of the 3-way TCP handshake to set up a TCP connection. The others are blocked UDP packets.

Add this rule and retry.
Code:
pass out quick on egress inet proto { tcp, udp } to VPN_IP port VPN_port
BTW telling us which port you are using for VPN could give us a clue We are not interested in the IP address, only the port
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 1st February 2011 at 08:03 PM. Reason: Added remark about VPN port
Reply With Quote
  #9   (View Single Post)  
Old 1st February 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,805
Thanked 214 Times in 189 Posts
Default

Since you were never using PF until today, you are driving down a rat hole which is likely not the root cause of your problem. The default implementation should not be getting in the way of normal traffic, and OpenVPN uses standard UDP or TCP protocols.

However, OpenVPN mucks about with your routing tables, because it creates virtual subnets for VPN users.

I have not used OpenVPN in a good number of years, so I cannot look at a configuration file and have something obvious jump out at me. But I would set PF aside and look for an OpenBSD user with a functioning OpenVPN environment. A quick use of the martial arts -- Google Fu -- finds a bunch of guidance. Much of it is dated, but you may find it helpful nevertheless, including some more recent stuff from this very forum:

http://www.undeadly.org/cgi?action=a...20050727020729
http://www.daemonforums.org/showthread.php?t=527
http://www.daemonforums.org/showthread.php?t=3750
http://www.kernel-panic.it/openbsd/vpn/vpn4.html

EDIT: Ah, I see that two posts jumped in. A log that does show blocking, and J65's response. I type slow.
Reply With Quote
Old 1st February 2011
Emile Emile is offline
Port Guard
 
Join Date: Feb 2011
Posts: 25
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by J65nko View Post
Packets are being blocked. The first one is the first of the 3-way TCP handshake to set up a TCP connection. The others are blocked UDP packets.

Add this rule and retry.
Code:
pass out quick on egress inet proto { tcp, udp } to VPN_IP port VPN_port
BTW telling us which port you are using for VPN could give us a clue We are not interested in the IP address, only the port
Ah, in the client.ovpn I was given, the port says 3074. With my previous experience in OpenVPN, I never had to worry about a port because everything just worked out of the box and now I seem to be having issues (I have not used OpenVPN in a while either).

Anyway, here it is:

Code:
$ sudo openvpn client.ovpn     
Tue Feb  1 15:13:47 2011 OpenVPN 2.1.0 i386-unknown-openbsd4.8 [SSL] [LZO2] built on Aug 10 2010
Tue Feb  1 15:13:47 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Feb  1 15:13:47 2011 WARNING: file 'cert.dat' is group or others accessible
Tue Feb  1 15:13:47 2011 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Feb  1 15:13:47 2011 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Tue Feb  1 15:13:47 2011 Local Options hash (VER=V4): '91138c76'
Tue Feb  1 15:13:47 2011 Expected Remote Options hash (VER=V4): 'f5a300ca'
Tue Feb  1 15:13:47 2011 Socket Buffers: R=[41600->65536] S=[9216->65536]
Tue Feb  1 15:13:47 2011 UDPv4 link local (bound): [undef]:1194
Tue Feb  1 15:13:47 2011 UDPv4 link remote: [VPN IP]:3074
Tue Feb  1 15:13:47 2011 TLS: Initial packet from [VPN IP]:3074, sid=5f02f614 7ce7e591
Tue Feb  1 15:13:56 2011 VERIFY OK: depth=1, /C=US/ST=NY/L=New_York/O=example.com/CN=example.com_CA/emailAddress=admin@example.com
Tue Feb  1 15:13:56 2011 VERIFY OK: nsCertType=SERVER
Tue Feb  1 15:13:56 2011 VERIFY OK: depth=0, /C=US/ST=NY/L=New_York/O=example.com/CN=server/emailAddress=admin@example.com
Tue Feb  1 15:13:58 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 256 bit key
Tue Feb  1 15:13:58 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb  1 15:13:58 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 256 bit key
Tue Feb  1 15:13:58 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb  1 15:13:58 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Tue Feb  1 15:13:58 2011 [server] Peer Connection Initiated with [VPN IP]:3074
Tue Feb  1 15:14:00 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Feb  1 15:14:00 2011 PUSH: Received control message: 'PUSH_REPLY,route 10.100.2.0 255.255.255.0,redirect-gateway,dhcp-option DNS 10.100.2.1,route-gateway 10.100.2.1,topology subnet,ping 30,ping-restart 120,ifconfig 10.100.2.106 255.255.255.0'
Tue Feb  1 15:14:00 2011 OPTIONS IMPORT: timers and/or timeouts modified
Tue Feb  1 15:14:00 2011 OPTIONS IMPORT: --ifconfig/up options modified
Tue Feb  1 15:14:00 2011 OPTIONS IMPORT: route options modified
Tue Feb  1 15:14:00 2011 OPTIONS IMPORT: route-related options modified
Tue Feb  1 15:14:00 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Feb  1 15:14:00 2011 ROUTE default_gateway=192.168.1.1
Tue Feb  1 15:14:00 2011 /sbin/ifconfig tun0 destroy
Tue Feb  1 15:14:00 2011 /sbin/ifconfig tun0 create
Tue Feb  1 15:14:00 2011 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
Tue Feb  1 15:14:00 2011 /sbin/ifconfig tun0 10.100.2.106 netmask 255.255.255.0 mtu 1500 broadcast 10.100.2.255 link0
Tue Feb  1 15:14:00 2011 TUN/TAP device /dev/tun0 opened
Tue Feb  1 15:14:02 2011 /sbin/route add -net [VPN IP] 192.168.1.1 -netmask 255.255.255.255
add net [VPN IP]: gateway 192.168.1.1
Tue Feb  1 15:14:02 2011 /sbin/route add -net 0.0.0.0 10.100.2.1 -netmask 128.0.0.0
add net 0.0.0.0: gateway 10.100.2.1
Tue Feb  1 15:14:02 2011 /sbin/route add -net 128.0.0.0 10.100.2.1 -netmask 128.0.0.0
add net 128.0.0.0: gateway 10.100.2.1
Tue Feb  1 15:14:02 2011 /sbin/route add -net 10.100.2.0 10.100.2.1 -netmask 255.255.255.0
add net 10.100.2.0: gateway 10.100.2.1
Tue Feb  1 15:14:02 2011 Initialization Sequence Completed
tcpdump:

Code:
$ sudo tcpdump -eni pflog0 
tcpdump: listening on pflog0, link-type PFLOG
15:14:01.138655 rule 2/(match) block out on tun0: :: > ff02::1:ffd8:a554: [|icmp6]
15:14:08.588467 rule 2/(match) block out on nfe0: 192.168.1.4.16561 > 128.255.70.89.123: v4 client strat 0 poll 0 prec 0 [tos 0x10]
15:14:08.751031 rule 2/(match) block out on tun0: 10.100.2.106.42436 > 66.102.13.105.80: S 2924801927:2924801927(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp]> (DF)
15:14:19.297303 rule 2/(match) block out on tun0: 10.100.2.106 > 66.102.13.147: icmp: echo request
15:14:20.298122 rule 2/(match) block out on tun0: 10.100.2.106 > 66.102.13.147: icmp: echo request
^C
5 packets received by filter
0 packets dropped by kernel
The last 2 are ping requests to Google, the one above that is when I tried a user to browse to Google, and before that is something that just appeared at "Initialization Sequence Completed" from OpenVPN. I didn't get any packets when I disconnected from the VPN.

Quote:
Originally Posted by jggimi View Post
Since you were never using PF until today, you are driving down a rat hole which is likely not the root cause of your problem. The default implementation should not be getting in the way of normal traffic, and OpenVPN uses standard UDP or TCP protocols.

However, OpenVPN mucks about with your routing tables, because it creates virtual subnets for VPN users.

I have not used OpenVPN in a good number of years, so I cannot look at a configuration file and have something obvious jump out at me. But I would set PF aside and look for an OpenBSD user with a functioning OpenVPN environment. A quick use of the martial arts -- Google Fu -- finds a bunch of guidance. Much of it is dated, but you may find it helpful nevertheless, including some more recent stuff from this very forum:

[Cannot post URLs]

EDIT: Ah, I see that two posts jumped in. A log that does show blocking, and J65's response. I type slow.
I don't ever recall touching /etc/hostname.tun0, but maybe I must do something with that now? I never knew it was neccessary...

I think I am currently leaning towards this problem, that I didn't set up virtual IPs correctly like all this 10.100.2.1 and stuff. Customer service guy tried to help me out anyway because they don't support *BSD and he told me to ping 10.100.1.1, 10.100.2.1 and 8.8.8.8, then a paste of route -n show. He said if I can't ping 10.100.1.1, then I am not actually on the VPN, so...I have no idea. He said he's not sure because I can't ping the gateway nor are there any error messages, so it looked like a dead end even though I was technically "connected". He told me to ask the OpenBSD people and so I Googled this forum and here I am.

Here is a route should it be of any assistance:

Code:
$ route -n show 
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
0/1                10.100.1.1         UGS        0        0     -     8 tun0 
default            192.168.1.1        UGS        9    62319     -     8 nfe0 
10.100.1/24        link#6             UC         1        0     -     4 tun0 
10.100.1/24        10.100.1.1         UGS        0        0     -     8 tun0 
10.100.1.1         link#6             UHLc       3        0     -     4 tun0 
92.241.168.20/32   192.168.1.1        UGS        0        0     -     8 nfe0 
127/8              127.0.0.1          UGRS       0        0 33200     8 lo0  
127.0.0.1          127.0.0.1          UH         7   134400 33200     4 lo0  
128/1              10.100.1.1         UGS        0        0     -     8 tun0 
192.168.1/24       link#1             UC         1        0     -     4 nfe0 
192.168.1.1        00:xx:xx:xx:xx:xx  UHLc       2     1643     -     4 nfe0 
192.168.1.4        127.0.0.1          UGHS       0        0 33200     8 lo0  
224/4              127.0.0.1          URS        0        0 33200     8 lo0  

Internet6:
Destination                        Gateway                        Flags   Refs      Use   Mtu  Prio Iface
::/104                             ::1                            UGRS       0        0     -     8 lo0  
::/96                              ::1                            UGRS       0        0     -     8 lo0  
::1                                ::1                            UH        14        0 33200     4 lo0  
::127.0.0.0/104                    ::1                            UGRS       0        0     -     8 lo0  
::224.0.0.0/100                    ::1                            UGRS       0        0     -     8 lo0  
::255.0.0.0/104                    ::1                            UGRS       0        0     -     8 lo0  
::ffff:0.0.0.0/96                  ::1                            UGRS       0        0     -     8 lo0  
2002::/24                          ::1                            UGRS       0        0     -     8 lo0  
2002:7f00::/24                     ::1                            UGRS       0        0     -     8 lo0  
2002:e000::/20                     ::1                            UGRS       0        0     -     8 lo0  
2002:ff00::/24                     ::1                            UGRS       0        0     -     8 lo0  
fe80::/10                          ::1                            UGRS      18        0     -     8 lo0  
fe80::%nfe0/64                     link#1                         UC         0        0     -     4 nfe0 
fe80::2xx:xxff:fexx:xxxx%nfe0      00:xx:xx:xx:xx:xx              HL         0        0     -     4 lo0  
fe80::%lo0/64                      fe80::1%lo0                    U          0        0     -     4 lo0  
fe80::1%lo0                        link#3                         UHL        0        0     -     4 lo0  
fe80::%tun0/64                     link#6                         UC         0        0     -     4 tun0 
fe80::fcxx:xxff:fexx:xxxx%tun0     fe:xx:xx:xx:xx:xx              HL         0        0     -     4 lo0  
fec0::/10                          ::1                            UGRS       0        0     -     8 lo0  
ff01::/16                          ::1                            UGRS       0        0     -     8 lo0  
ff01::%nfe0/32                     link#1                         UC         0        0     -     4 nfe0 
ff01::%lo0/32                      ::1                            UC         0        0     -     4 lo0  
ff01::%tun0/32                     link#6                         UC         0        0     -     4 tun0 
ff02::/16                          ::1                            UGRS      38        0     -     8 lo0  
ff02::%nfe0/32                     link#1                         UC         0        0     -     4 nfe0 
ff02::%lo0/32                      ::1                            UC         0        0     -     4 lo0  
ff02::%tun0/32                     link#6                         UC         0        0     -     4 tun0

Last edited by Emile; 1st February 2011 at 08:42 PM.
Reply With Quote
Old 1st February 2011
J65nko J65nko is online now
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,193
Thanked 182 Times in 149 Posts
Default

Try this simple pf wich allows all traffic from both your NIC and tun0 device

Code:
#IF = re0 
IF = nfe0

VPN_IF = tun0

set skip on lo0

block log all

pass out quick on $IF
pass out quick on $VPN_IF
pflog0 should not show any blocked packets now.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 1st February 2011
Emile Emile is offline
Port Guard
 
Join Date: Feb 2011
Posts: 25
Thanked 0 Times in 0 Posts
Default

Ok, it seems all is fine and dandy with pf (no need to post repetitive logs; the OpenVPN output is the same, and there is no blocked packets from tcpdump) but I still can't ping anything on the VPN network or access the internet.

So does this clear pf as not the culprit once and for all?

I'm really unsure of this networking setup, especially VPN...is editing /etc/hostname.tun0 neccessary? I don't have anything in that file and don't know what to put inside it either..

Last edited by Emile; 1st February 2011 at 09:13 PM.
Reply With Quote
Old 1st February 2011
J65nko J65nko is online now
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,193
Thanked 182 Times in 149 Posts
Default

The new pf.conf does clear pf , but in the beginning it was blocking some packets

What is the output of
Code:
# ifconfig tun0
or
Code:
# ifconfig -A
?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 1st February 2011
Emile Emile is offline
Port Guard
 
Join Date: Feb 2011
Posts: 25
Thanked 0 Times in 0 Posts
Default

Well in the VERY beginning my pf didn't even have any rules (well it did, but just blocking X server port) so nothing was being dropped, really since it was just the default pf.conf after all. But I guess it doesn't hurt to learn pf sometime soon for future purposes.

Code:
$ sudo ifconfig tun0 
tun0: flags=9843<UP,BROADCAST,RUNNING,SIMPLEX,LINK0,MULTICAST> mtu 1500
        lladdr fe:xx:xx:xx:xx:34
        priority: 0
        groups: tun
        status: active
        inet 10.100.2.106 netmask 0xffffff00 broadcast 10.100.2.255
        inet6 fe80::fce1:xxff:fexx:xx34%tun0 prefixlen 64 scopeid 0x8
Code:
$ sudo ifconfig -A   
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33200
        priority: 0
        groups: lo
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:xx:xx:xx:xx:86
        priority: 0
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::2xx:xxff:fexx:xx86%nfe0 prefixlen 64 scopeid 0x1
        inet 192.168.1.4 netmask 0xffffff00 broadcast 192.168.1.255
enc0: flags=0<>
        priority: 0
        groups: enc
        status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33200
        priority: 0
        groups: pflog
tun1: flags=9803<UP,BROADCAST,SIMPLEX,LINK0,MULTICAST> mtu 1500
        lladdr fe:xx:xx:xx:xx:a9
        priority: 0
        groups: tun
        status: no carrier
        inet 10.100.1.9 netmask 0xffffff00 broadcast 10.100.1.255
        inet6 fe80::fcxx:xxff:fexx:xxa9%tun1 prefixlen 64 scopeid 0x7
tun0: flags=9843<UP,BROADCAST,RUNNING,SIMPLEX,LINK0,MULTICAST> mtu 1500
        lladdr fe:xx:xx:xx:xx:34
        priority: 0
        groups: tun
        status: active
        inet 10.100.2.106 netmask 0xffffff00 broadcast 10.100.2.255
        inet6 fe80::fcxx:xxff:fexx:xx34%tun0 prefixlen 64 scopeid 0x8
Reply With Quote
Old 1st February 2011
J65nko J65nko is online now
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,193
Thanked 182 Times in 149 Posts
Default

The address of your nfe0 NIC is 192.168.1.4, but in the routing table it is 192.168.1.1

Code:
$ route -n show 
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
0/1                10.100.1.1         UGS        0        0     -     8 tun0 
default            192.168.1.1        UGS        9    62319     -     8 nfe0 
10.100.1/24        link#6             UC         1        0     -     4 tun0 
10.100.1/24        10.100.1.1         UGS        0        0     -     8 tun0 
10.100.1.1         link#6             UHLc       3        0     -     4 tun0 
92.241.168.20/32   192.168.1.1        UGS        0        0     -     8 nfe0 
127/8              127.0.0.1          UGRS       0        0 33200     8 lo0  
127.0.0.1          127.0.0.1          UH         7   134400 33200     4 lo0  
128/1              10.100.1.1         UGS        0        0     -     8 tun0 
192.168.1/24       link#1             UC         1        0     -     4 nfe0 
192.168.1.1        00:xx:xx:xx:xx:xx  UHLc       2     1643     -     4 nfe0 
192.168.1.4        127.0.0.1          UGHS       0        0 33200     8 lo0  
224/4              127.0.0.1          URS        0        0 33200     8 lo0 

$ ifconfig nfe0

nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:xx:xx:xx:xx:86
        priority: 0
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::2xx:xxff:fexx:xx86%nfe0 prefixlen 64 scopeid 0x1
        inet 192.168.1.4 netmask 0xffffff00 broadcast 192.168.1.255
In the routing table tun0 shows up in the 10.100.1.0/24 network but the ifconfig shows it is 10.100.2.106 and thus in 10.100.2.0/24.

Because of these two abnormalities you are getting these 'no routes to host' messages.

Code:
tun1: flags=9803<UP,BROADCAST,SIMPLEX,LINK0,MULTICAST> mtu 1500
        lladdr fe:xx:xx:xx:xx:a9
        priority: 0
        groups: tun
        status: no carrier
        inet 10.100.1.9 netmask 0xffffff00 broadcast 10.100.1.255
        inet6 fe80::fcxx:xxff:fexx:xxa9%tun1 prefixlen 64 scopeid 0x7

tun0: flags=9843<UP,BROADCAST,RUNNING,SIMPLEX,LINK0,MULTICAST> mtu 1500
        lladdr fe:xx:xx:xx:xx:34
        priority: 0
        groups: tun
        status: active
        inet 10.100.2.106 netmask 0xffffff00 broadcast 10.100.2.255
        inet6 fe80::fcxx:xxff:fexx:xx34%tun0 prefixlen 64 scopeid 0x8
And I wonder what tun1 is doing, it shows 'no carrier', although it is in the 10.100.1.0/24 network which happens to be in the routing tables.

OpenVPN seems to configure tun0
Code:
Tue Feb  1 15:14:00 2011 /sbin/ifconfig tun0 destroy
Tue Feb  1 15:14:00 2011 /sbin/ifconfig tun0 create
Tue Feb  1 15:14:00 2011 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
Tue Feb  1 15:14:00 2011 /sbin/ifconfig tun0 10.100.2.106 netmask 255.255.255.0 mtu 1500 broadcast 10.100.2.255 link0
Tue Feb  1 15:14:00 2011 TUN/TAP device /dev/tun0 opened
Although I wonder how pf handles network devices that don't exist when the rules are loading,

How about the Windows approach, rebooting the system?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 1st February 2011
J65nko J65nko is online now
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,193
Thanked 182 Times in 149 Posts
Default

Does $ pkg_info -M openvpn give any clue about configuring OpenVPN?
Have you seen http://www.daemonforums.org/showthread.php?t=527 ?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 1st February 2011
Emile Emile is offline
Port Guard
 
Join Date: Feb 2011
Posts: 25
Thanked 0 Times in 0 Posts
Default

Okay, just as documentation, I've just rebooted and here is my fresh ifconfig:

Code:
$ sudo ifconfig -A
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33200
        priority: 0
        groups: lo
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:xx:xx:xx:xx:86
        priority: 0
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::2xx:xxff:fexx:xx86%nfe0 prefixlen 64 scopeid 0x1
        inet 192.168.1.4 netmask 0xffffff00 broadcast 192.168.1.255
enc0: flags=0<>
        priority: 0
        groups: enc
        status: active
tun0: flags=10<POINTOPOINT> mtu 1500
        priority: 0
        groups: tun
        status: down
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33200
        priority: 0
        groups: pflog
I am about to run OpenVPN and see what'll happen
Reply With Quote
Old 1st February 2011
Emile Emile is offline
Port Guard
 
Join Date: Feb 2011
Posts: 25
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by J65nko View Post
Does $ pkg_info -M openvpn give any clue about configuring OpenVPN?
Have you seen http://www.daemonforums.org/showthread.php?t=527 ?
Code:
$ pkg_info -M openvpn
Information for inst:openvpn-2.1.0p0

Install notice:
OpenVPN re-creates the tun(4) interface at startup; compatibility
with PF is improved by starting it from hostname.if(5). For example:

# cat << EOF > /etc/hostname.tun0
up
!/usr/local/sbin/openvpn --daemon --config /etc/openvpn/server.conf
EOF
Well I'm not really using pf so this shouldn't really matter, would it? (I mean if I have no rules in pf or if I disable pf.)

Yes I'm trying to understand the configuration given in that thread and I messaged the thread creator for help but it seems this individual has not been on these forums since October of 2010.

Doesn't OpenVPN automatically create the routes anyway?
Reply With Quote
Old 1st February 2011
Emile Emile is offline
Port Guard
 
Join Date: Feb 2011
Posts: 25
Thanked 0 Times in 0 Posts
Default

And here's when I try to connect again...
Code:
$ sudo openvpn client.ovpn
Tue Feb  1 17:27:17 2011 OpenVPN 2.1.0 i386-unknown-openbsd4.8 [SSL] [LZO2] built on Aug 10 2010
Tue Feb  1 17:27:17 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Feb  1 17:27:17 2011 WARNING: file 'cert.dat' is group or others accessible
Tue Feb  1 17:27:17 2011 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Feb  1 17:27:17 2011 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Tue Feb  1 17:27:17 2011 Local Options hash (VER=V4): '91138c76'
Tue Feb  1 17:27:17 2011 Expected Remote Options hash (VER=V4): 'f5a300ca'
Tue Feb  1 17:27:17 2011 Socket Buffers: R=[41600->65536] S=[9216->65536]
Tue Feb  1 17:27:17 2011 UDPv4 link local (bound): [undef]:1194
Tue Feb  1 17:27:17 2011 UDPv4 link remote: [VPN IP]:3074
Tue Feb  1 17:27:18 2011 TLS: Initial packet from [VPN IP]:3074, sid=119e7e18 7e8b693a
Tue Feb  1 17:27:19 2011 VERIFY OK: depth=1, /C=US/ST=NY/L=New_York/O=example.com/CN=example.com_CA/emailAddress=admin@example.com
Tue Feb  1 17:27:19 2011 VERIFY OK: nsCertType=SERVER
Tue Feb  1 17:27:19 2011 VERIFY OK: depth=0, /C=US/ST=NY/L=New_York/O=example.com/CN=server/emailAddress=admin@example.com
Tue Feb  1 17:27:21 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 256 bit key
Tue Feb  1 17:27:21 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb  1 17:27:21 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 256 bit key
Tue Feb  1 17:27:21 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb  1 17:27:21 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Tue Feb  1 17:27:21 2011 [server] Peer Connection Initiated with [VPN IP]:3074
Tue Feb  1 17:27:23 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Feb  1 17:27:23 2011 PUSH: Received control message: 'PUSH_REPLY,route 10.100.2.0 255.255.255.0,redirect-gateway,dhcp-option DNS 10.100.2.1,route-gateway 10.100.2.1,topology subnet,ping 30,ping-restart 120,ifconfig 10.100.2.106 255.255.255.0'
Tue Feb  1 17:27:23 2011 OPTIONS IMPORT: timers and/or timeouts modified
Tue Feb  1 17:27:23 2011 OPTIONS IMPORT: --ifconfig/up options modified
Tue Feb  1 17:27:23 2011 OPTIONS IMPORT: route options modified
Tue Feb  1 17:27:23 2011 OPTIONS IMPORT: route-related options modified
Tue Feb  1 17:27:23 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Feb  1 17:27:23 2011 ROUTE default_gateway=192.168.1.1
Tue Feb  1 17:27:23 2011 /sbin/ifconfig tun0 destroy
Tue Feb  1 17:27:23 2011 /sbin/ifconfig tun0 create
Tue Feb  1 17:27:23 2011 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
Tue Feb  1 17:27:23 2011 /sbin/ifconfig tun0 10.100.2.106 netmask 255.255.255.0 mtu 1500 broadcast 10.100.2.255 link0
Tue Feb  1 17:27:23 2011 TUN/TAP device /dev/tun0 opened
Tue Feb  1 17:27:25 2011 /sbin/route add -net [VPN IP] 192.168.1.1 -netmask 255.255.255.255
add net [VPN IP]: gateway 192.168.1.1
Tue Feb  1 17:27:25 2011 /sbin/route add -net 0.0.0.0 10.100.2.1 -netmask 128.0.0.0
add net 0.0.0.0: gateway 10.100.2.1
Tue Feb  1 17:27:25 2011 /sbin/route add -net 128.0.0.0 10.100.2.1 -netmask 128.0.0.0
add net 128.0.0.0: gateway 10.100.2.1
Tue Feb  1 17:27:25 2011 /sbin/route add -net 10.100.2.0 10.100.2.1 -netmask 255.255.255.0
add net 10.100.2.0: gateway 10.100.2.1
Tue Feb  1 17:27:25 2011 Initialization Sequence Completed
Code:
$ ifconfig -A 
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33200
        priority: 0
        groups: lo
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:xx:xx:xx:xx:86
        priority: 0
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::2xx:xxff:fexx:xx86%nfe0 prefixlen 64 scopeid 0x1
        inet 192.168.1.4 netmask 0xffffff00 broadcast 192.168.1.255
enc0: flags=0<>
        priority: 0
        groups: enc
        status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33200
        priority: 0
        groups: pflog
tun0: flags=9843<UP,BROADCAST,RUNNING,SIMPLEX,LINK0,MULTICAST> mtu 1500
        lladdr fe:xx:xx:xx:xx:2c
        priority: 0
        groups: tun
        status: active
        inet 10.100.1.112 netmask 0xffffff00 broadcast 10.100.1.255
        inet6 fe80::fcxx:xxff:fexx:xx2c%tun0 prefixlen 64 scopeid 0x6
route -n show:
Code:
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
0/1                10.100.1.1         UGS        0        0     -     8 tun0 
default            192.168.1.1        UGS       10     1849     -     8 nfe0 
10.100.1/24        link#6             UC         1        0     -     4 tun0 
10.100.1/24        10.100.1.1         UGS        0        0     -     8 tun0 
10.100.1.1         link#6             UHLc       3        0     -     4 tun0 
[VPN IP]/32        192.168.1.1        UGS        0        0     -     8 nfe0 
127/8              127.0.0.1          UGRS       0        0 33200     8 lo0  
127.0.0.1          127.0.0.1          UH         5     1233 33200     4 lo0  
128/1              10.100.1.1         UGS        0        0     -     8 tun0 
192.168.1/24       link#1             UC         1        0     -     4 nfe0 
192.168.1.1        00:xx:xx:xx:xx:8c  UHLc       2       54     -     4 nfe0 
192.168.1.4        127.0.0.1          UGHS       0        0 33200     8 lo0  
224/4              127.0.0.1          URS        0        0 33200     8 lo0  

Internet6:
Destination                        Gateway                        Flags   Refs      Use   Mtu  Prio Iface
::/104                             ::1                            UGRS       0        0     -     8 lo0  
::/96                              ::1                            UGRS       0        0     -     8 lo0  
::1                                ::1                            UH        14        0 33200     4 lo0  
::127.0.0.0/104                    ::1                            UGRS       0        0     -     8 lo0  
::224.0.0.0/100                    ::1                            UGRS       0        0     -     8 lo0  
::255.0.0.0/104                    ::1                            UGRS       0        0     -     8 lo0  
::ffff:0.0.0.0/96                  ::1                            UGRS       0        0     -     8 lo0  
2002::/24                          ::1                            UGRS       0        0     -     8 lo0  
2002:7f00::/24                     ::1                            UGRS       0        0     -     8 lo0  
2002:e000::/20                     ::1                            UGRS       0        0     -     8 lo0  
2002:ff00::/24                     ::1                            UGRS       0        0     -     8 lo0  
fe80::/10                          ::1                            UGRS       2        0     -     8 lo0  
fe80::%nfe0/64                     link#1                         UC         0        0     -     4 nfe0 
fe80::2xx:xxff:fexx:xx86%nfe0      00:xx:xx:xx:xx:86              HL         0        0     -     4 lo0  
fe80::%lo0/64                      fe80::1%lo0                    U          0        0     -     4 lo0  
fe80::1%lo0                        link#3                         UHL        0        0     -     4 lo0  
fe80::%tun0/64                     link#6                         UC         0        0     -     4 tun0 
fe80::fcxx:xxff:fexx:xxa0%tun0     fe:xx:xx:xx:xx:a0              HL         0        0     -     4 lo0  
fec0::/10                          ::1                            UGRS       0        0     -     8 lo0  
ff01::/16                          ::1                            UGRS       0        0     -     8 lo0  
ff01::%nfe0/32                     link#1                         UC         0        0     -     4 nfe0 
ff01::%lo0/32                      ::1                            UC         0        0     -     4 lo0  
ff01::%tun0/32                     link#6                         UC         0        0     -     4 tun0 
ff02::/16                          ::1                            UGRS       6        0     -     8 lo0  
ff02::%nfe0/32                     link#1                         UC         0        0     -     4 nfe0 
ff02::%lo0/32                      ::1                            UC         0        0     -     4 lo0  
ff02::%tun0/32                     link#6                         UC         0        0     -     4 tun0

Last edited by Emile; 1st February 2011 at 10:38 PM.
Reply With Quote
Old 1st February 2011
Emile Emile is offline
Port Guard
 
Join Date: Feb 2011
Posts: 25
Thanked 0 Times in 0 Posts
Default

Here is my ifconfig and route under normal circumstances (without starting the VPN). Everything works fine in this mode:

Code:
$ sudo ifconfig -A
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33200
        priority: 0
        groups: lo
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:xx:xx:xx:xx:86
        priority: 0
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::2xx:xxff:fexx:xx86%nfe0 prefixlen 64 scopeid 0x1
        inet 192.168.1.4 netmask 0xffffff00 broadcast 192.168.1.255
enc0: flags=0<>
        priority: 0
        groups: enc
        status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33200
        priority: 0
        groups: pflog
tun0: flags=9803<UP,BROADCAST,SIMPLEX,LINK0,MULTICAST> mtu 1500
        lladdr fe:xx:xx:xx:xx:a0
        priority: 0
        groups: tun
        status: no carrier
        inet 10.100.1.112 netmask 0xffffff00 broadcast 10.100.1.255
        inet6 fe80::fcxx:xxff:fexx:xxa0%tun0 prefixlen 64 scopeid 0x6
Code:
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            192.168.1.1        UGS       10     2197     -     8 nfe0 
10.100.1/24        link#6             C          0        0     -     4 tun0 
127/8              127.0.0.1          UGRS       0        0 33200     8 lo0  
127.0.0.1          127.0.0.1          UH         5     1382 33200     4 lo0  
192.168.1/24       link#1             UC         1        0     -     4 nfe0 
192.168.1.1        00:xx:xx:xx:xx:8c  UHLc       1       54     -     4 nfe0 
192.168.1.4        127.0.0.1          UGHS       0        0 33200     8 lo0  
224/4              127.0.0.1          URS        0        0 33200     8 lo0  

Internet6:
Destination                        Gateway                        Flags   Refs      Use   Mtu  Prio Iface
::/104                             ::1                            UGRS       0        0     -     8 lo0  
::/96                              ::1                            UGRS       0        0     -     8 lo0  
::1                                ::1                            UH        14        0 33200     4 lo0  
::127.0.0.0/104                    ::1                            UGRS       0        0     -     8 lo0  
::224.0.0.0/100                    ::1                            UGRS       0        0     -     8 lo0  
::255.0.0.0/104                    ::1                            UGRS       0        0     -     8 lo0  
::ffff:0.0.0.0/96                  ::1                            UGRS       0        0     -     8 lo0  
2002::/24                          ::1                            UGRS       0        0     -     8 lo0  
2002:7f00::/24                     ::1                            UGRS       0        0     -     8 lo0  
2002:e000::/20                     ::1                            UGRS       0        0     -     8 lo0  
2002:ff00::/24                     ::1                            UGRS       0        0     -     8 lo0  
fe80::/10                          ::1                            UGRS       2        0     -     8 lo0  
fe80::%nfe0/64                     link#1                         UC         0        0     -     4 nfe0 
fe80::2xx:xxff:fexx:xx86%nfe0      00:xx:xx:xx:xx:86              HL         0        0     -     4 lo0  
fe80::%lo0/64                      fe80::1%lo0                    U          0        0     -     4 lo0  
fe80::1%lo0                        link#3                         UHL        0        0     -     4 lo0  
fe80::%tun0/64                     link#6                         C          0        0     -     4 tun0 
fe80::fcxx:xxff:fexx:xxa0%tun0     fe:xx:xx:xx:xx:a0              HL         0        0     -     4 lo0  
fec0::/10                          ::1                            UGRS       0        0     -     8 lo0  
ff01::/16                          ::1                            UGRS       0        0     -     8 lo0  
ff01::%nfe0/32                     link#1                         UC         0        0     -     4 nfe0 
ff01::%lo0/32                      ::1                            UC         0        0     -     4 lo0  
ff01::%tun0/32                     link#6                         C          0        0     -     4 tun0 
ff02::/16                          ::1                            UGRS       6        0     -     8 lo0  
ff02::%nfe0/32                     link#1                         UC         0        0     -     4 nfe0 
ff02::%lo0/32                      ::1                            UC         0        0     -     4 lo0  
ff02::%tun0/32                     link#6                         C          0        0     -     4 tun0
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenVPN BSD_Auth There0 OpenBSD Installation and Upgrading 0 8th May 2010 09:53 AM
Cannot set up OpenVPN guitarscn OpenBSD Security 8 5th October 2009 05:19 PM
SSH tunneling vs. OpenVPN revzalot OpenBSD Security 8 31st May 2009 06:45 AM
OpenVPN management bichumo General software and network 0 15th July 2008 09:05 AM
OpenVPN - Problem with connections MME General software and network 2 26th May 2008 06:42 PM


All times are GMT. The time now is 04:33 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick