Re: your OpenVPN setup
How did you configure OpenVPN on your OpenBSD box? Most people have a lot of problems in getting it connected to a VPN service.
Re: filter rules
From
http://www.swissvpn.net/index.php?co...ng=en#selected
Quote:
How can I ensure that my computer only connects to the Internet via SwissVPN, and not directly?
The most reliable way of achieving this is by installing a separate router/firewall between your computer and the Internet. Configure the firewall to only allow outbound connections with the following protocols:
- DNS (TCP/UDP port 53)
- HTTPS (TCP port 443), for OpenVPN
|
I played a little bit with a
pf.conf ruleset and enabled logging so the working can be verified by running
tcpdump on the
pflog0 device.
Code:
set block-policy return
set skip on lo
set loginterface egress
# --- OUTGOING services: TCP
pass out log quick on egress inet proto tcp from egress to any port https
pass out log quick on tun0 inet proto {tcp, udp, icmp}
pass out quick on egress inet proto udp to 192.168.222.10 port 53
# --- INCOMING services: TCP
pass in quick on egress inet proto tcp from egress:network to port ssh
# -- DEFAULT policy
block quick inet proto udp from any port 1900 to any port 1900
block quick inet proto udp from any to any port { 138 137 139 }
block return log all
# -------------------------------------------------------------------------
# use 'tcpdump -eni pflog0' to watch blocked packets in real time
# use 'tcpdump -en -r /var/log/pflog' to read the blocked packets log file
# -------------------------------------------------------------------------
With the SwissVPN.net demo account I only can do DNS lookups, ping (ICMP) and access (TCP) their website, but that all works with this ruleset.
So you could give it a try
PS: I needed
pass out quick on egress inet proto udp to 192.168.222.10 port 53 else I could not setup the VPN connection. And that is the reason that after stopping OpenVPN is still could do DNS lookups. But I could neither do pings or visit a website after stopping,