|
|||
@e1-531g;
Thanks for the warning. Sorry, I understand now. @jggimi; hostname.ral0 Code:
-chan -bssid -wpakey nwid "MyNet" lladdr "random" wpakey "**********" dhcp file ProtonVPN.ovpn Code:
client dev tun proto tcp <connection> remote jp-free-01.protonvpn.com 443 </connection> <connection> remote nl-free-01.protonvpn.com 443 </connection> <connection> remote nl-free-02.protonvpn.com 443 </connection> <connection> remote us-free-01.protonvpn.com 443 </connection> <connection> remote us-free-02.protonvpn.com 443 </connection> remote-random resolv-retry infinite nobind cipher AES-256-CBC auth SHA512 comp-lzo verb 3 tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ping 15 ping-restart 0 ping-timer-rem reneg-sec 0 remote-cert-tls server auth-user-pass file.txt pull fast-io script-security 2 #up /etc/openvpn/update-resolv-conf #down /etc/openvpn/update-resolv-conf hostname.tun0 Code:
up group openvpn description "ProtonVPN" !/usr/local/bin/ossl-openvpn --daemon --config /etc/protonvpn/proton.ovpn Last edited by ucharfli; 24th January 2018 at 05:10 PM. |
|
|||
These are my notes. They are not complete. I refer to the books to get other information.. If you use them and screw up, its your funeral.
I have not tested torrenting with these rules, as I couldn't be bothered after the trouble I went to get this far. I only set it up to work on my desktop machine, so I don't know if it will work in a router type situation. These notes will only give you clues to help you though roadblocks if you read the books I mentioned, as well as related man files. If you don't read up on this, you will have no clue what it all means. I don't have a clue either and I read everything there was to read. lol If you get tired of trying take my advice in the post above. Install an operating system a VPN makes a GUI client for that does all this for you and get on with your life. If your VPN does not make such a client, cut your losses with them and find one that does. Even them writing 3 little files you need to use OpenBSD safely can't be that hard for them can it? If they won't do that much for you. they obviously don't need your business. Fix DNS Leaks For OpenBSD And AirVPN https://airvpn.org/topic/22329-openbsd/ https://www.openbsd.org/faq/faq6.html#DHCP 1. Get AirVPN's DNS server addresses here: https://airvpn.org/specs/ 1. Add the following line to /ect/dhclient.conf: supersede domain-name-servers 1.2.3.4; (1.2.3.4 is a junk DNS address that will be inserted in resolv.conf) 2. Add the AirVPN DNS addresses to /ect/resolv.conf.tail nameserver 10.4.0.1 nameserver 10.5.0.1 (The contends of this file will be appended to resolv.conf) 3. This command rewrites the resolv.conf file with the above values: dhclient em0 em0 is the interface from hostname.em0 OpenVPN Change the ownership and permissions of the OpenVPN configuration and credential files, so only root has read-only access to them. # chown root:wheel /etc/openvpn/*.ovpn # chmod 400 /etc/openvpn/*.ovpn MY PF Rule for AIRVPN The first link is where I got the main fragment. My pf file has a version of it pasted at the bottom of the original one. Or perhaps it should be at the top? You better read The Book of PF or you will not know.l https://airvpn.org/topic/1713-win-ma...nbsd#entry1764 https://www.openbsd.org/faq/pf/index.html "Various Internet bodies have set aside three subnets for use on private networks. You cannot use them on the public Internet, but anybody can use them on a private network. The networks 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 are freely usable by organizations. You’ll see these addresses in huge organizations and home networks, and have probably encountered some of them already. These addresses are also globally unique, within your organization. Your hosts should never see these addresses elsewhere, and other networks should never see these addresses on your network." - From Networking for Systems Administrators, by Michael Lucas "The following very basic rules would block all traffic outside the tunnel (edit with any text editor /etc/pf.conf) assuming that your ethernet or wifi interface has the address 192.168.*.* and that the tun interface used by OpenVPN is tun0:" block out on <your_network_interface> from 192.168.0.0/16 to any pass out quick on <your_network_interface> from 192.168.0.0/16 to <AirVPN_server_entry_IP> pass out quick on tun0 from any to any Note the IP address in OpenVPN is slightly different to the one reported in the webpage that tests leaks. You want the one OpenVPN reports obviously. # The OpenVPN IP for each server is marked by: [AF_INET] For my machine: block out on em0 from 192.168.0.0/16 to any pass out quick on em0 from 192.168.0.0/16 to <insert 1st vpn server IP here> pass out quick on em0 from 192.168.0.0/16 to <insert 2nd vpn server IP here> pass out quick on em0 from 192.168.0.0/16 to <insert 3rd vpn server IP here> pass out quick on em0 from 192.168.0.0/16 to <insert 4th vpn server IP here> pass out quick on tun0 from any to any Then execute pfctl -e pfctl -f /etc/pf.conf to enable pf and load your ruleset. If the connection drops, no packets will go out, so you will only be able to reconnect to the VPN and nothing else until you disable pf with pfctl -d Read the man page for pfctl Last edited by Prevet; 25th January 2018 at 10:26 AM. |
|
||||
Quote:
A PF configuration can be established with a default block of all traffic, then permitting this select traffic to be passed. There are some considerations:
Quote:
|
|
|||
@Prevet;
I applied what you wrote, but I do not get internet. Am I making a mistake somewhere? My pf.conf Code:
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $ # # See pf.conf(5) and /etc/examples/pf.conf wlan_if="ral0" vpn="{ 2.*.*.*, 7.*.*.*, 6.*.*.*, 9.*.*.*, 8.*.*.*, \ 1.*.*.*, 5.*.*.*, 7.*.*.*, 8.*.*.*, 2.*.*.* }" set skip on lo block return # block stateless traffic pass # establish keep-state # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 # Port build user does not need network block return out log proto {tcp udp} user _pbuild ####################### VPN ########################## ###################################################### block out on $wlan_if from 192.168.0.0/16 to any pass out quick on $wlan_if from 192.168.0.0/16 to $vpn pass out quick on tun0 from any to any Code:
net.inet.ip.forwarding=1 @jggimi; It was nice, but I do not know how to write a rule with PF from where. That's why I asked for help. I found something simple, but is it a benefit? This is something that will not make me feel good. Code:
set skip on tun0 pass in quick on tun0 |
|
||||
Quote:
Quote:
The two rules have a similar result, but they are not exactly equivalent. The set skip rule will only be applied at the time the rules are loaded, and if the tun0 interface does not exist at that time, the first rule will not be applied. Last edited by jggimi; 28th January 2018 at 02:03 AM. Reason: clarity |
|
|||
Quote:
$vpn variable should be the full number of the IP address of what you are connecting to. You can get that when OpenVPN is up and running. Look for the entry marked [AF_INET] in the terminal screen that pops up when OpenVPN is running. Don't try to use these PF rules until you have made OpenVPN connect to one of your VPN's servers, then you can get [AF_INET] from it. Last edited by Prevet; 28th January 2018 at 05:25 AM. |
|
|||
This is the link that has the PF rules I put in:
https://airvpn.org/topic/1713-win-ma...nbsd#entry1764 If you search that page for "your_network_interface" you will see them discussing it. Also this number could be different on your machine. I can't remember what program I used to report what it is on my machine. Quote:
Quote:
**** I just noticed you can find the number (192.168.0.0/16) for your machine, if you use ifconfig command. Look in the section that has the media: Ethernet that I mentioned in the post above. For me it is the last line that has netmask 0xffffff00 broadcast 192.168.... Netmasks are explained in the Michael Lucas book. Last edited by Prevet; 28th January 2018 at 01:14 PM. |
|
|||
Thank you all very much. Now I will try to solve the problem. I am looking for more information.
again I can bother! |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Where should I put my config? "rc.conf" or "rc.conf.local"? | fender0107401 | OpenBSD General | 2 | 2nd April 2012 02:53 AM |
Help with pf.conf | A_Sorenby | OpenBSD Security | 14 | 21st June 2011 09:52 PM |
Pf.conf | erict35 | OpenBSD Security | 1 | 30th January 2010 10:19 PM |
pf.conf | lumiwa | FreeBSD Security | 11 | 20th September 2008 01:01 AM |
difference between rc.conf and loader.conf | disappearedng | FreeBSD General | 5 | 3rd September 2008 05:54 AM |