|
|
|||
Openvpn pf/nat/route-to issue
I'm having a pf/nat/route-to problem with openbsd 4.6 and openvpn
2.1_rc15. VPN setup works and I'm able to send (and receive data) when doing it directly from my openbsd firewall: # ping 192.36.171.154 Code:
PING 192.36.171.154 (192.36.171.154): 56 data bytes 64 bytes from 192.36.171.154: icmp_seq=0 ttl=60 time=21.692 ms Code:
tcpdump: listening on tun0, link-type EN10MB 22:56:59.951191 178.73.197.139 > 192.36.171.154: icmp: echo request 22:56:59.972697 192.36.171.154 > 178.73.197.139: icmp: echo reply fails. The really strange thing is that pflog0 says the packet is sent out on tun0, but the tcpdump on tun0 never sees the icmp packet: # tcpdump -ettt -ni pflog0 Code:
tcpdump: listening on pflog0, link-type PFLOG Jan 15 23:00:25.921497 rule 156.vpn.10/(match) pass in on vr2: 172.16.1.20 > 192.36.171.154: icmp: echo request (DF) Jan 15 23:00:25.921558 rule 100/(match) pass out on tun0: 178.73.197.139 > > 192.36.171.154: icmp: echo request (DF) Code:
tcpdump: listening on tun0, link-type EN10MB tun0 settings: Code:
# ifconfig tun0 tun0: flags=9843<UP,BROADCAST,RUNNING,SIMPLEX,LINK0,MULTICAST> mtu 1500 lladdr 00:bd:e2:30:c0:01 priority: 0 media: Ethernet autoselect status: active inet 178.73.197.139 netmask 0xffffff80 broadcast 178.73.197.255 inet6 fe80::2bd:e2ff:fe30:c001%tun0 prefixlen 64 scopeid 0x7 Code:
nat on tun0 from 172.16.1.0/24 to any -> tun0 pass in log quick on dmzif route-to tun0 inet proto icmp from 172.16.1.0/24 to any icmp-type echoreq tag VPN_TRAFFIC pass out log quick on tun0 inet proto icmp from tun0 to any icmp-type echoreq tagged VPN_TRAFFIC Code:
# sysctl -a | grep net.inet.ip.forwa net.inet.ip.forwarding=1 Code:
dev tun0 dev-type tap |
|
|||
Last year in OpenBSD port of OpenVPN revisited I posted a solution for an OpenVPN issue but that was using tun0 as non-tap device IIRC.
If you run tcpdump on tun0 with the '-e' flag turned on you should be able to see the MAC or lladdress That could help in debugging. And I wonder why you need the route-to in Code:
pass in log quick on dmzif route-to tun0 inet proto icmp from 172.16.1.0/24 \ to any icmp-type echoreq tag VPN_TRAFFIC
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
I'm doing source routing with the route-to. The setup is that I have two internal networks, one of the networks (dmzif) are only allowed to connect to the Internet through the openvpn connection. (The openvpn connection is an ip anonymization service, called anonine). This exact pf configuration with route-to (source routing) worked perfectly when using pptp connection instead of openvpn).
I think the default route on dmz are fine, otherwise i wouldn't see any packets in the pflog0 log. I just tried to remove the route-to from the configuration line and added a static route for 192.36.171.154 to tun0. And now it works from my client!! I also tried to keep the static route and put back route-to in the config: Does not work. Conclusion: Using route-to with a tun device in "dev-type tap" mode does not work. Probably a bug i think. |
|
|||
Solved!
Added default gateway on the route-to.. from: Code:
pass in log quick on $dmz_if route-to tun0 inet proto icmp from $dmz_network to any icmp-type echoreq tag VPN_TRAFFIC pass out log quick on tun0 inet proto icmp from tun0 to any icmp-type echoreq tagged VPN_TRAFFIC Code:
pass in log quick on $dmz_if route-to (tun0 <anonine_gateway>) inet proto icmp from $dmz_network to any icmp-type echoreq tag VPN_TRAFFIC pass out log quick on tun0 inet proto icmp from tun0 to any icmp-type echoreq tagged VPN_TRAFFIC Code:
#!/bin/sh pfctl -t anonine_gateway -T replace $route_vpn_gateway /sbin/pfctl -a vpn -f /etc/pf.conf.vpn |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Multi-Path or Route-To? | SlyM | OpenBSD General | 25 | 1st July 2016 04:21 PM |
Does pf conflict with OpenVPN? | Emile | OpenBSD Packages and Ports | 37 | 2nd February 2011 11:03 PM |
How to add static route using virtual NIC | bsdplus | Solaris | 1 | 22nd August 2010 02:10 AM |
ping: sendto: No route to host | joostvgh | OpenBSD General | 2 | 29th April 2010 12:34 PM |
Cannot set up OpenVPN | guitarscn | OpenBSD Security | 8 | 5th October 2009 05:19 PM |