Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 16th January 2012
lasstoff lasstoff is offline
New User
Join Date: Jan 2012
Posts: 3
Default Openvpn pf/nat/route-to issue

I'm having a pf/nat/route-to problem with openbsd 4.6 and openvpn

VPN setup works and I'm able to send (and receive data) when doing it
directly from my openbsd firewall:

# ping
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=60 time=21.692 ms
# tcpdump -ni tun0 icmp
tcpdump: listening on tun0, link-type EN10MB
22:56:59.951191 > icmp: echo request
22:56:59.972697 > icmp: echo reply
But when doing the same ping from a client behind my openbsd firewall it
fails. The really strange thing is that pflog0 says the packet is sent
out on tun0, but the tcpdump on tun0 never sees the icmp packet:

# tcpdump -ettt -ni pflog0
tcpdump: listening on pflog0, link-type PFLOG Jan 15 23:00:25.921497 rule 156.vpn.10/(match) pass in on vr2: > icmp: echo request (DF)
Jan 15 23:00:25.921558 rule 100/(match) pass out on tun0: > > icmp: echo request (DF)
# tcpdump -ni tun0 icmp
tcpdump: listening on tun0, link-type EN10MB
Any ideas anyone?

tun0 settings:
# ifconfig tun0
        lladdr 00:bd:e2:30:c0:01
        priority: 0
        media: Ethernet autoselect
        status: active
        inet netmask 0xffffff80 broadcast
        inet6 fe80::2bd:e2ff:fe30:c001%tun0 prefixlen 64 scopeid 0x7
relevant parts of pf.conf:
nat on tun0 from to any -> tun0
pass in log quick on dmzif route-to tun0 inet proto icmp from to any icmp-type echoreq tag VPN_TRAFFIC
pass out log quick on tun0 inet proto icmp from tun0 to any icmp-type echoreq tagged VPN_TRAFFIC

# sysctl -a | grep net.inet.ip.forwa
parts of openvpn-config:
dev tun0
dev-type tap
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Multi-Path or Route-To? SlyM OpenBSD General 25 1st July 2016 04:21 PM
Does pf conflict with OpenVPN? Emile OpenBSD Packages and Ports 37 2nd February 2011 11:03 PM
How to add static route using virtual NIC bsdplus Solaris 1 22nd August 2010 02:10 AM
ping: sendto: No route to host joostvgh OpenBSD General 2 29th April 2010 12:34 PM
Cannot set up OpenVPN guitarscn OpenBSD Security 8 5th October 2009 05:19 PM

All times are GMT. The time now is 03:31 AM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick