DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 24th June 2014
alikzus alikzus is offline
New User
 
Join Date: May 2010
Location: Stockholm, Sweden
Posts: 7
Thanked 0 Times in 0 Posts
Default How to use the external interface and a VPN tunnel for different services/clients?

Can you help me out here, please? I do not need a step-by-step guide, just a friendly kick in the right direction.

I have an OpenBSD gateway/router/networking server with two network interfaces in use: one for the external network (WAN) and one for my internal network (LAN).

On the internal side I have a bunch of clients including an OpenBSD server that serves both the outside world (currently http and ssh) and the inside (currently NFS).

I have used an OpenVPN client to create a VPN tunnel on the gateway, and that works fine, but I do not want all traffic to go through the tunnel. I want to exclude, for example, the web and shell services.

How should I think? Can I do this with only pf or do I need to make changes to the routing table?

If I create the tunnel, without any changes to my pf rule set, the web server stops to be accessible from the outside and the clients cannot access the outside; because the default route is changed, I guess.

If I change $wan_if from em0 to tun0 the clients can access the outside, but of course I cannot access the web server on the IP address that is assigned to em0 (I have not tried to access it through the IP address at tun0).

Is it just a matter of having dual NAT:ing for the two interfaces or will the replies take the default route no matter what? I did a test shot with an additional nat-to rule yesterday, but it did not work and then it was time for bed.
Reply With Quote
  #2   (View Single Post)  
Old 26th June 2014
alikzus alikzus is offline
New User
 
Join Date: May 2010
Location: Stockholm, Sweden
Posts: 7
Thanked 0 Times in 0 Posts
Default

I have made some tests using reply-to, but without success.

I guess that I need to alter the routing table, but as I lack knowledge in that area I have ordered some books to solve that.

I have dynamic IP addresses on both the em0 and tun0 interface; will that be a problem?

Edit: I will search the OpenVPN community for a solution to this as well.

Last edited by alikzus; 26th June 2014 at 10:35 AM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ipsec tunnel 3 networks with one tunnel polken OpenBSD Security 0 24th May 2012 06:33 AM
Disabling Services Not Needed EverydayDiesel OpenBSD Security 10 25th January 2010 01:20 PM
start stop services ? smooth187 OpenBSD General 4 31st August 2008 01:00 AM
Exempting clients from AuthPF Kristijan NetBSD Security 1 12th July 2008 12:09 AM
Learn which services are listening on your box anomie Guides 5 14th May 2008 09:59 AM


All times are GMT. The time now is 03:29 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick