DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 4th June 2021
CiotBSD CiotBSD is offline
c107:b5d::
 
Join Date: Jun 2019
Location: Under /
Posts: 175
Default [VM] OpenVPN on host to redirect to VMs guests

Hi,

On my server @home, I use VM to virtualize two VM guests. host & guets execute OpenBSD 6.9.

On the host, I had installed OpenVPNto use as client. My VPN connection run correctly.
How should I configure PF to redirect the stream HTTP(S) to my VM web?
__________________
GPG:Fingerprint ed25519 : 072A 4DA2 8AFD 868D 74CF 9EA2 B85E 9ADA C377 5E8E
GPG:Fingerprint rsa4096 : 4E0D 4AF7 77F5 0FAE A35D 5B62 D0FF 7361 59BF 1733

Last edited by CiotBSD; 6th June 2021 at 03:05 AM.
Reply With Quote
  #2   (View Single Post)  
Old 4th June 2021
prx prx is offline
New User
 
Join Date: May 2021
Posts: 3
Default

Hi,
Some more details could be nice, (configuration files). To make sure : you need to redirect http(s) requests incoming from VPN tunnel to your VM?

I guess a rdr-to should be enough.
Code:
vpn_if=tun0
vm_ip = "10.0.0.2"
ports = "{ www https }"

pass in on $vpn_if proto tcp from any to $vpn_if port $ports_tcp rdr-to $vpn_ip
Reply With Quote
  #3   (View Single Post)  
Old 5th June 2021
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

The Virtualization chapter of the FAQ has a networking section which should help.
Reply With Quote
  #4   (View Single Post)  
Old 5th June 2021
CiotBSD CiotBSD is offline
c107:b5d::
 
Join Date: Jun 2019
Location: Under /
Posts: 175
Default

by using nat-to?

@jjgimi: I don't understand how this can help me.
My VM run correctly segun the 4 option, because they are on same network than host.

But now, I desire redirect OpenVPN stream connected on host between the VM.
__________________
GPG:Fingerprint ed25519 : 072A 4DA2 8AFD 868D 74CF 9EA2 B85E 9ADA C377 5E8E
GPG:Fingerprint rsa4096 : 4E0D 4AF7 77F5 0FAE A35D 5B62 D0FF 7361 59BF 1733

Last edited by CiotBSD; 5th June 2021 at 11:55 AM.
Reply With Quote
  #5   (View Single Post)  
Old 5th June 2021
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Post your configuration.

Without it, we can only make guesses and generalizations.
Reply With Quote
  #6   (View Single Post)  
Old 6th June 2021
CiotBSD CiotBSD is offline
c107:b5d::
 
Join Date: Jun 2019
Location: Under /
Posts: 175
Default

Pfff, I do not like this!

My virtualization config:
Quote:
$ cat /etc/vm.conf
switch "sw" {
interface bridge0
}

vm "vm-dns" {
disk /home/my-user/VM/vm-dns.qcow2 format qcow2
enable
interface { switch "sw" }
memory 1G
owner my-user
}

vm "vm-web" {
disk /home/my-user/VM/vm-web.qcow2 format qcow2
enable
interface { switch "sw" }
memory 4G
owner my-user
}
the iface bridge on host:
Quote:
$ cat /etc/hostname.bridge0
add em0
the iface em0 on host:
Quote:
$ cat /etc/hostname.em0
inet 192.168.xyz.2
inet6 2a00:5881:8118:2100:c107:b5d::2 64
the PF rules on the host:
Quote:
(...)
# For VM
pass quick on tap

# to dns on VM DNS; dns_ports are: 53, 853
pass in quick on em0 proto tcp from any to { $vmdns $vm6dns1 $vm6dns2 } port $dns_ports
pass in quick on em0 proto udp from any to { $vmdns $vm6dns1 $vm6dns2 } port $dns_ports

# to http on VM web; web_ports are: 80, 443
pass in quick log on em0 inet proto tcp to $vmweb port $web_ports
pass in quick log on em0 inet6 proto tcp to $vm6web port $web_ports
(...)
host and VM are same networks, either IPv4 and IPv6.
- vm for dns : segment IP 3, instance for IPv4: inet 192.168.xyz.3, and IPv6: inet6 2a00:5881:8118:2100:c107:b5d::3 64
- vm for web : segment IP 4

Ok, this run correctly without no problem, @home, by my FAIbox.

Now, I installed OpenVPN on the host, as client! (I pay a VPN service to a French association, named ARN-FAI)
I changed the sysctl values to forward on IPv4, and IPv6 because, it seems needed. (not necessary for virtualization where host and guests are on same networks)
Quote:
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
@prx: after change on my DNS, the record for www (on my nsd config) as:
Quote:
www IN A 89.234.141.32
www IN AAAA 2a00:5881:8118:2100:c107:b5d::4
I setted new rules on PF, but there are not "function":
Quote:
pass in quick on tun0 proto tcp from any to tun0 port $web_ports rdr-to $vmweb
match out on tun0 from em0:network to any nat-to (tun0)
pass out on tun0
I watch with tcpdump:
Quote:
rule 0/(match) match in on tun0: 88.136.16.221.48792 > 89.234.141.32.80: S 545538650:545538650(0) win 64240 <mss 1203,sackOK,timestamp 3757879048 0,nop,wscale 7> (DF)
but no "switch" on em0.
__________________
GPG:Fingerprint ed25519 : 072A 4DA2 8AFD 868D 74CF 9EA2 B85E 9ADA C377 5E8E
GPG:Fingerprint rsa4096 : 4E0D 4AF7 77F5 0FAE A35D 5B62 D0FF 7361 59BF 1733

Last edited by CiotBSD; 6th June 2021 at 02:12 AM.
Reply With Quote
  #7   (View Single Post)  
Old 6th June 2021
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

The very first rule in this fragment -- "pass quick on tap" will always match for your guest virtual machines. Because of the use of the "quick" option, no other rules for virtual machine traffic will be examined. If you were to use rdr-to in more specific rules as prx@ suggested, they would not be applied becaues the "quick" rule would have already matched.
Reply With Quote
  #8   (View Single Post)  
Old 7th June 2021
CiotBSD CiotBSD is offline
c107:b5d::
 
Join Date: Jun 2019
Location: Under /
Posts: 175
Default

OK.

See, here my actuals rules on PF. (stay one day)
And the traffic no pass.

I try to put the rule :
Quote:
pass in on tun0 inet proto tcp from any to tun0 port $web_ports rdr-to $vmweb
before the ultime "block log" ; but with the same results:
Quote:
Jun 07 11:05:07.565153 rule 0/(match) match in on tun0: 88.136.16.221.40426 > 89.234.141.32.80: S 1281409946:1281409946(0) win 64240 <mss 1203,sackOK,timestamp 193028053 0,nop,wscale 7> (DF)
Jun 07 11:05:07.565161 rule 85/(match) block in on tun0: 88.136.16.221.40426 > 89.234.141.32.80: S 1281409946:1281409946(0) win 64240 <mss 1203,sackOK,timestamp 193028053 0,nop,wscale 7> (DF)
the 85 rule is the "block log"
__________________
GPG:Fingerprint ed25519 : 072A 4DA2 8AFD 868D 74CF 9EA2 B85E 9ADA C377 5E8E
GPG:Fingerprint rsa4096 : 4E0D 4AF7 77F5 0FAE A35D 5B62 D0FF 7361 59BF 1733

Last edited by CiotBSD; 7th June 2021 at 12:35 PM.
Reply With Quote
  #9   (View Single Post)  
Old 8th June 2021
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

All I can determine is that the traffic you want to redirect does not appear to match any of your existing (or your test) pass rules, other than your rule 0 "match" rule. I recommend running tcpdump(8) against the tun0 interface while watching the incoming traffic. You may be able to seeif there is something about the packets that will help you to revise your test pass rules so that they match.
Reply With Quote
Old 9th June 2021
TronDD TronDD is offline
Spam Deminer
 
Join Date: Sep 2014
Posts: 304
Default

My guess from what little we see of you pf config, you're now mixing regular and quick rules. Regular rules are 'last match wins' so

'pass something' before 'block log' (which is 'block all') will never do what's in the pass rule. It will always be blocked.

It's best to not mix quick and regular rules.
Reply With Quote
Reply

Tags
openbsd, openvpn, pf

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Tricky inbound redirect with pf wbe OpenBSD Security 12 15th February 2019 02:01 PM
Redirect kernel messages to another vt? darktrym NetBSD General 2 16th October 2016 11:52 AM
OpenVPN No Route To Host Peter_APIIT OpenBSD Security 10 18th September 2015 03:05 AM
VNC and sound redirect DNAeon FreeBSD Ports and Packages 2 16th September 2009 07:52 PM


All times are GMT. The time now is 07:49 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick