DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 12th August 2017
afdruiprek afdruiprek is offline
New User
 
Join Date: Jun 2017
Posts: 9
Default Route some ip addresses outside VPN

Hello I’m a new member to this forum but i have used it a lot before i became a member.

I have a router with pfSense but would like to change it in favor for OpenBSD pf .

My setup looks like this.

ISP **** ROUTER **** AP

I run one Openvpn client on the router so that all machines on the wifi AP goes through the vpn.

Now comes the problem i would want some of the clients ip addresses to be routed through wan (without VPN) i have tried different routing alternatives but i haven’t find anything that works.
Everything else seems to work even the "killswitch".


Here is my pf.conf any suggestions on optimizations would also be appreciated
thanks in advance !!
Code:
ext_if = "em0"              # External interface
int_if = "em1"              # Internal interface
vpn_if = "tun0"             # Vpn interface


table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16     \
                   172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
		   192.168.0.0/16 198.18.0.0/15 198.51.100.0/24        \ 			          203.0.113.0/24 }


set block-policy drop
set loginterface $ext_if 
set skip on lo0  



match in all scrub (no-df random-id max-mss 1440)


match out on $ext_if inet from ($int_if:network) to any nat-to ($ext_if:0)
match out on $vpn_if inet from ($int_if:network) to any nat-to ($vpn_if:0)


block in quick on $ext_if from <martians> to any
block return out quick on $ext_if from any to <martians>

block all
pass in on $int_if from $int_if:network to any tag NO_WAN_EGRESS keep state



block quick on $ext_if tagged NO_WAN_EGRESS
#block return out quick on $ext_if tagged NO_WAN_EGRESS

pass out quick inet
#pass in on $int_if inet

Last edited by ocicat; 12th August 2017 at 07:43 PM. Reason: Please use [code] & [/code] tags when posting file contents.
Reply With Quote
  #2   (View Single Post)  
Old 13th August 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Hello, and welcome!
Quote:
...i would want some of the clients ip addresses to be routed through wan (without VPN)..
At the moment, your configuration blocks all traffic originating on $int_if (em1) from transiting $ext_if (em0), as all traffic originating on $int_if is tagged NO_WAN_EGRESS.

Since tags are "sticky" you could add another pass rule with a different tag immediately following the first pass rule, such as:
Code:
pass in on $int_if from $int_if:network to any tag NO_WAN_EGRESS keep state
pass in from address tag WAN_EGRESS_IS_OK
The address could be a single address, a set of addresses in a list, or a table of addresses. (Note: "to any" and "keep state" are defaults.)

For more on tags, see the pf.conf(5) man page and the packet tagging chapter of the PF User's Guide.

Last edited by jggimi; 13th August 2017 at 01:51 PM. Reason: typo
Reply With Quote
  #3   (View Single Post)  
Old 13th August 2017
afdruiprek afdruiprek is offline
New User
 
Join Date: Jun 2017
Posts: 9
Default

Thanks for the tips jggimi i will use your rule.

But that won’t change the VPN issue, i have tried before without the NO_WAN_EGRESS rules to force 1 ip address to
be routed through the wan (to use my ISP ip not vpn) but whenever a VPN client is running on the server it changes its default route.
I have searched forums and OpenBSD manuals but haven’t really find a solution that works .
Reply With Quote
  #4   (View Single Post)  
Old 13th August 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Perhaps I'm confused. I understood your issue to be to with passing traffic for a device on the local network that is NOT using your VPN. If that is the case, then its routing table should not be affected.

I'm not an OpenVPN user so am unable to offer specific provisioning advice for it.
Reply With Quote
  #5   (View Single Post)  
Old 13th August 2017
afdruiprek afdruiprek is offline
New User
 
Join Date: Jun 2017
Posts: 9
Default

Its probably my explanation that is bad, English isn’t my first language.

The VPN client is running on the Router and all machine on the local network that is connected through LAN is getting the VPN providers ip address.

If i turn off the VPN client all machines will get my ISP ip address therefore the NO_WAN_EGRESS rule
so if the VPN goes down no traffic vill pass

What i want is that 1 ore more machines on the LAN to not be routed through VPN (use ISP ip address) and all the others uses VPN .

I hope you will understand me now.
Reply With Quote
  #6   (View Single Post)  
Old 13th August 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

You'll need to adjust the OpenVPN client configuration so that it excludes the specific device or devices.
Reply With Quote
  #7   (View Single Post)  
Old 20th August 2017
hanzer's Avatar
hanzer hanzer is offline
Real Name: Adam Jensen
just passing through
 
Join Date: Oct 2013
Location: EST USA
Posts: 314
Default

Quote:
Originally Posted by afdruiprek View Post
The VPN client is running on the Router and all machine on the local network that is connected through LAN is getting the VPN providers ip address.

If i turn off the VPN client all machines will get my ISP ip address therefore the NO_WAN_EGRESS rule
so if the VPN goes down no traffic vill pass

What i want is that 1 ore more machines on the LAN to not be routed through VPN (use ISP ip address) and all the others uses VPN .
Hi @afdruiprek, I'm somewhat new to the role of helping here - hopefully the authoritarian personality types won't be terribly offended by the different style <smirk>.

Is dhcpd involved in your setup? Once the firewall is configured to pass traffic, it could be that if the various client machines were each configured with a specific gateway address, that might be a step closer to what you need. For example, if the router machine is running dhcpd then a specific gateway address for each LAN machine might be configured like this (I am guessing - *not tested*):
/etc/dhcpd.conf
Code:
                                                                                                             
option domain-name "mylan.net";

subnet 192.168.0.0 netmask 255.255.255.0 {
        option domain-name-servers 192.168.0.1;

        range 192.168.0.4 192.168.0.127;

        host lanws02 {
                hardware ethernet 00:00:00:00:00:00;
                fixed-address 192.168.0.2;
                option routers 10.0.0.1;
        }

        host lanws03 {
                hardware ethernet 00:00:00:00:00:00;
                fixed-address 192.168.0.3;
                option routers 192.168.0.1;
        }
}

Last edited by hanzer; 20th August 2017 at 07:25 PM. Reason: added some color
Reply With Quote
  #8   (View Single Post)  
Old 20th August 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

hanzer, I'm not sure DHCP is involved in this specific issue, which is that a set of devices need to be excluded from using the OpenVPN tunnel. But that's if I understand the issue, of course.
Reply With Quote
  #9   (View Single Post)  
Old 20th August 2017
hanzer's Avatar
hanzer hanzer is offline
Real Name: Adam Jensen
just passing through
 
Join Date: Oct 2013
Location: EST USA
Posts: 314
Default

Quote:
Originally Posted by jggimi View Post
hanzer, I'm not sure DHCP is involved in this specific issue, which is that a set of devices need to be excluded from using the OpenVPN tunnel. But that's if I understand the issue, of course.
Yeah, I might not understand either. I have assumed (possibly incorrectly) that the VPN appears as a network device with an IP address, it routes to a VPN gateway and it is set as the default gateway; also, the physical network interfaces have IP addresses and one routes to the ISP gateway (a guess based on the original post). If the goal is for some LAN machines to route traffic through the VPN gateway and other LAN machines to route traffic through the ISP gateway, it seems like that might be achieved by configuring the routing tables of the various machines - assuming the firewalls are appropriately passing traffic and the VPN is appropriately configured to accept/deny connections (assuming that is a VPN pseudo-device configuration option).

The OP might come back with some clarification and more details.

Last edited by hanzer; 20th August 2017 at 07:36 PM. Reason: tweak
Reply With Quote
Old 20th August 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Disclaimer: I'm not an OpenVPN user.

  • OpenVPN uses UDP (or TCP if needed) to tunnel virtual networks between two end-point gateways, using X.509 certificates for authenticity and authority, and SSL/TLS encryption primitives between end-points. I
  • It is implemented as a userland application, which can runs on many different OSes.
  • On OpenBSD, it uses a tun(4) interface to pass network traffic into and out of the userland-based application.
If I understood the configuration in afdruiprek's top post:
  1. The VPN gateway on the OpenBSD is provisioned to prevent all traffic on the local network from transiting to the Internet, while permitting only VPN traffic to pass. Something like this ASCII "graphic" logically, but not physically:
    Code:
    [Internal LAN (em1)] - [VPN Gateway (tun0)] - [Internet (em0)]
  2. In order for a device on the the internal LAN to reach the Internet, the device must have OpenVPN provisioned, and it must connect to the OpenVPN gateway on OpenBSD.
  3. When an OpenVPN client connects to an OpenVPN server, it updates routing tables on the client system so that the appropriate traffic is routed through the VPN. When the OpenVPN client disconnects from an OpenVPN server, its routing tables should revert to normal.
There are two parts to afdruiprek's issue, if I understand it correctly.
  1. PF must pass the direct traffic for the device (as discussed in my first reply in this thread).
  2. OpenVPN use must be disabled for the device, so that it doesn't use it.

Last edited by jggimi; 20th August 2017 at 07:55 PM. Reason: typos
Reply With Quote
Old 20th August 2017
hanzer's Avatar
hanzer hanzer is offline
Real Name: Adam Jensen
just passing through
 
Join Date: Oct 2013
Location: EST USA
Posts: 314
Default

Quote:
Originally Posted by jggimi View Post
Disclaimer: I'm not an OpenVPN user.
Me neither. I initially, shallowly and [probably] mistakenly imagined something like a simple proxy or a simple tunnel. It kind of makes sense that it would need to do a lot more if it is meant to be a complete solution...
Reply With Quote
Old 21st August 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Glancing at the pkg-readme on behalf of amithapr earlier today, I note the application can also use a tap(4) pseudo-interface. The choice between tap()/tun() depends on the type of traffic that needs to transit the VPN.
Reply With Quote
Old 29th August 2017
afdruiprek afdruiprek is offline
New User
 
Join Date: Jun 2017
Posts: 9
Default

I'm sorry I have not answered earlier.

Quote:
3. When an OpenVPN client connects to an OpenVPN server, it updates routing tables on the client system so that the appropriate traffic is routed through the VPN. When the OpenVPN client disconnects from an OpenVPN server, its routing tables should revert to normal.
Correct and I'm using the tun0 interface
and the OpenVPN client is running on the OpenBSD router.
I found that you can change some routing in vpn.conf file but it didn't work
Code:
# redirect all default traffic via the VPN
redirect-gateway def1
# redirect the Intranet network 192.168.1/24 via the VPN
route 192.168.1.0 255.255.255.0
# redirect another network to NOT go via the VPN
route 10.10.0.0 255.255.255.0 net_gateway
# redirect a host using a domainname to NOT go via the VPN
route www.google.ca 255.255.255.255 net_gateway
On my pfSense router i can choose LAN ip addresses to run outside the VPN
but i can't figure out how because its WebGUI and they scatter files around and use XML files
thats also one of the reasons i don't want to use pfSense (it does work great) but i like simplicity .
This is what i did get from the pf.rules in pfSense
Code:
anchor "userrules/*" all
block return out quick on igb0 reply-to (igb0 xx.xxx.xx.xx ISP ip) inet all label "USER_RULE: Reject outbound traffic marked NO_WAN_EGRESS" tagged NO_WAN_EGRESS
pass in quick on igb1 inet from <NETFLIX> to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
pass in quick on igb1 route-to (igb0 xx.xxx.xx.xx ISP ip) inet from <NETFLIX> to any flags S/SA keep state label "USER_RULE: NETFLIX ON WAN not VPN"
pass in quick on igb1 inet from 192.168.1.0/24 to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination" tag NO_WAN_EGRESS
pass in quick on igb1 route-to (ovpnc1 10.128.0.1) inet from 192.168.1.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to OVPN mark traffic as NO_WAN_EGR" tag NO_WAN_EGRESS
Reply With Quote
Old 29th August 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

If:
  • You are able to disable OpenVPN on the local device on the LAN
  • You are able to configure OpenVPN on the local device to bypass OpenVPN and use the LAN directly
Then the advice I offered in post #2 above should work.
Reply With Quote
Reply

Tags
vpn;pf;client;routing;openbsd

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenVPN No Route To Host Peter_APIIT OpenBSD Security 10 18th September 2015 03:05 AM
Route to enc0 WeakSauceIII OpenBSD Security 11 1st June 2015 07:40 PM
No Route to Host rtwingfield FreeBSD Installation and Upgrading 9 25th May 2015 03:05 AM
route on openbsd hpabsdbeginner1 OpenBSD General 2 15th April 2014 07:17 PM
How to add static route using virtual NIC bsdplus Solaris 1 22nd August 2010 02:10 AM


All times are GMT. The time now is 09:12 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick