DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 16th January 2012
lasstoff lasstoff is offline
New User
 
Join Date: Jan 2012
Posts: 3
Thanked 0 Times in 0 Posts
Default Openvpn pf/nat/route-to issue

I'm having a pf/nat/route-to problem with openbsd 4.6 and openvpn
2.1_rc15.

VPN setup works and I'm able to send (and receive data) when doing it
directly from my openbsd firewall:

# ping 192.36.171.154
Code:
PING 192.36.171.154 (192.36.171.154): 56 data bytes
64 bytes from 192.36.171.154: icmp_seq=0 ttl=60 time=21.692 ms
# tcpdump -ni tun0 icmp
Code:
tcpdump: listening on tun0, link-type EN10MB
22:56:59.951191 178.73.197.139 > 192.36.171.154: icmp: echo request
22:56:59.972697 192.36.171.154 > 178.73.197.139: icmp: echo reply
But when doing the same ping from a client behind my openbsd firewall it
fails. The really strange thing is that pflog0 says the packet is sent
out on tun0, but the tcpdump on tun0 never sees the icmp packet:

# tcpdump -ettt -ni pflog0
Code:
tcpdump: listening on pflog0, link-type PFLOG Jan 15 23:00:25.921497 rule 156.vpn.10/(match) pass in on vr2: 172.16.1.20 > 192.36.171.154: icmp: echo request (DF)
Jan 15 23:00:25.921558 rule 100/(match) pass out on tun0: 178.73.197.139 > > 192.36.171.154: icmp: echo request (DF)
# tcpdump -ni tun0 icmp
Code:
tcpdump: listening on tun0, link-type EN10MB
Any ideas anyone?



tun0 settings:
Code:
# ifconfig tun0
tun0: flags=9843<UP,BROADCAST,RUNNING,SIMPLEX,LINK0,MULTICAST> mtu 1500
        lladdr 00:bd:e2:30:c0:01
        priority: 0
        media: Ethernet autoselect
        status: active
        inet 178.73.197.139 netmask 0xffffff80 broadcast 178.73.197.255
        inet6 fe80::2bd:e2ff:fe30:c001%tun0 prefixlen 64 scopeid 0x7
relevant parts of pf.conf:
Code:
nat on tun0 from 172.16.1.0/24 to any -> tun0
pass in log quick on dmzif route-to tun0 inet proto icmp from 172.16.1.0/24 to any icmp-type echoreq tag VPN_TRAFFIC
pass out log quick on tun0 inet proto icmp from tun0 to any icmp-type echoreq tagged VPN_TRAFFIC

Code:
# sysctl -a | grep net.inet.ip.forwa
net.inet.ip.forwarding=1
parts of openvpn-config:
Code:
dev tun0
dev-type tap
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Does pf conflict with OpenVPN? Emile OpenBSD Packages and Ports 37 2nd February 2011 11:03 PM
Multi-Path or Route-To? SlyM OpenBSD General 21 10th November 2010 07:22 PM
How to add static route using virtual NIC bsdplus Solaris 1 22nd August 2010 02:10 AM
ping: sendto: No route to host joostvgh OpenBSD General 2 29th April 2010 12:34 PM
Cannot set up OpenVPN guitarscn OpenBSD Security 8 5th October 2009 05:19 PM


All times are GMT. The time now is 07:37 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick