DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 3rd March 2021
dnslc's Avatar
dnslc dnslc is offline
Port Guard
 
Join Date: Jun 2020
Location: Australia
Posts: 24
Default PF OpenVPN killswitch

I am trying to make a `killswitch' for OpenVPN with PF (a .conf that will only allow traffic to flow out of the VPN connection and not the `clear' internet)

Here is my pf.conf:
Code:
# ue0 is regular internet
# tun0 is OpenVPN

block all

# allow local ssh connections
pass proto tcp from ue0:network to port ssh
   
# DNS (for server IP lookup)
pass quick proto {tcp, udp} from any to any port 53 keep state

# VPN IPs
pass out on ure0 proto {tcp, udp} from any to { 185.117.118.24, 185.117.118.23 }

pass on tun0 all
However when I try to connect to the VPN server I get this:
Code:
$ sudo openvpn Finland_UDP.ovpn
[...]
2021-03-03 13:14:29 us=888719 UDP link remote: [AF_INET]185.117.118.23:443
2021-03-03 13:14:29 us=889216 write UDP: Permission denied (code=13)
2021-03-03 13:14:31 us=49223 write UDP: Permission denied (code=13)
Why is UDP blocked? I thought I had allowed it.
Reply With Quote
  #2   (View Single Post)  
Old 3rd March 2021
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

Change block all to block log all and reload your rule set.

Now all blocked packets by will show up on the pflog(4) interface.
To see these packets as root do: # tcpdump -n -e -ttt -i pflog0
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 4th March 2021
TronDD TronDD is offline
Spam Deminer
 
Join Date: Sep 2014
Posts: 304
Default

I don't use openVPN but is that connection attempt to port 443 trying to establish the VPN connection? That happens over the external interface, not the tunnel (since it needs to connect to set up the tunnel). You need to allow that on ure0.
Reply With Quote
  #4   (View Single Post)  
Old 4th March 2021
dnslc's Avatar
dnslc dnslc is offline
Port Guard
 
Join Date: Jun 2020
Location: Australia
Posts: 24
Default

Thanks for the advice, but it turns out the problem was a typo! (isn't it always?)

Code:
# ue0 is regular internet
# tun0 is OpenVPN

block all

# allow local ssh connections
pass proto tcp from ue0:network to port ssh
   
# DNS (for server IP lookup)
pass quick proto {tcp, udp} from any to any port 53 keep state

# VPN IPs
pass out on ure0 proto {tcp, udp} from any to { 185.117.118.24, 185.117.118.23 }

pass on tun0 all
I removed the `r' from ure0 to ue0 and it works just fine now.

Code:
[ VPN is running in another screen ($ sudo openvpn server.ovpn) ]
$ ping www.google.com
PING www.google.com (172.217.167.100): 56 data bytes
64 bytes from 172.217.167.100: icmp_seq=0 ttl=112 time=559.999 ms
64 bytes from 172.217.167.100: icmp_seq=1 ttl=112 time=558.409 ms
64 bytes from 172.217.167.100: icmp_seq=2 ttl=112 time=558.484 ms
[ I ctrl-c OpenVPN in the other screen ]
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
Reply With Quote
Reply

Tags
openvpn, pf, vpn

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenVPN on OpenBSD 5.1 scrummie02 OpenBSD Security 6 1st October 2012 04:46 PM
Does pf conflict with OpenVPN? Emile OpenBSD Packages and Ports 37 2nd February 2011 11:03 PM
Cannot set up OpenVPN guitarscn OpenBSD Security 8 5th October 2009 05:19 PM
SSH tunneling vs. OpenVPN revzalot OpenBSD Security 8 31st May 2009 06:45 AM
OpenVPN management bichumo General software and network 0 15th July 2008 09:05 AM


All times are GMT. The time now is 09:29 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick