|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
PF configuration. Need help with VPN and automatic startup
Hello,
I need help with my firewall and VPN. Many people here have faced similar tasks, but I haven't gleaned much that could solve my problem. I know how to search on Google, but I couldn't find anything worthwhile and comprehensive. So, let's get to the point. Here’s my pf configuration. I managed to get it working somewhat as I need it to. However, it lacks a kill switch function for the VPN. Ideally, I would like the internet connection on the router to remain active, but for the computers on the local network to lose internet access if the VPN drops. Additionally, is everything in my configuration set up correctly? I took the standard router configuration from the official OpenBSD website; can you clearly see if I messed something up? Lastly, how can I make the VPN start automatically when the router is turned on? Code:
wired = "re0" vpn = "tun0" table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \ 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \ 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \ 203.0.113.0/24 } set block-policy drop set loginterface egress set skip on lo0 match in all scrub (no-df random-id max-mss 1440) match out on egress inet from !(egress:network) to any nat-to (egress:0) match out on $vpn inet from !(egress:network) to any nat-to ($vpn:0) antispoof quick for { egress $wired } block in quick on egress from <martians> to any block return out quick on egress from any to <martians> block all pass out quick inet pass in on { $wired } inet pass out on $wired from ($vpn:network) to any pass in on egress inet proto tcp from any to (egress) port { 80 443 } rdr-to 192.168.1.2 P.S. I've been struggling with this problem for five days. It might seem funny to some, but these configuration tweaks have been quite challenging for me. A couple of days ago, I created a similar thread on Reddit, but it seems it didn't pass moderation due to my newly created account. |
|
|||
How about first reordering and grouping your rules by direction (in/out), interface (wired, egress) etc? That would make things easier to understand ...
My suggestion (hoping I did not accidentally leave out any rule ) Code:
1 wired = "re0" 2 vpn = "tun0" 3 table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \ 4 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \ 5 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \ 6 203.0.113.0/24 } 7 8 set block-policy drop 9 set loginterface egress 10 set skip on lo0 11 12 antispoof quick for { egress $wired } 13 14 # --- OUTGOING 15 block return out quick on egress from any to <martians> 16 17 match out on egress inet from !(egress:network) to any nat-to (egress:0) 18 match out on $vpn inet from !(egress:network) to any nat-to ($vpn:0) 19 pass out quick inet 20 pass out on $wired from ($vpn:network) to any 21 block all 22 23 # --- INCOMING 24 25 # -- egress 26 match in all scrub (no-df random-id max-mss 1440) 27 block in quick on egress from <martians> to any 28 29 pass in on egress inet proto tcp from any to (egress) port { 80 443 } rdr-to 192.168.1.2 30 31 # -- wired 32 pass in on { $wired } inet Code:
19 pass out quick inet 20 pass out on $wired from ($vpn:network) to any
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||||
Quote:
Quote:
Quote:
Quote:
Quote:
PS I apologize for the formatting of my response; I haven't fully figured out how things are done here. |
|
|||
On detecting an incoming packet pf will only check the rules that deal with incoming packets. It will skip the rules for outgoing ones because they don't apply.
Daniel Hartmeier, the original architect of pf, in an old paper called this a skip step. When you alternate in and out rules, pf has to take many of these skip steps. I prefer pf to only take giant skip steps by ordering and grouping the rules by direction (in/out) and then by interface. Nowadays pf seems to do this ordering (optimizing) behind the scenes, but I kept this habit, because for the human pf rule writer it is easier to understand. If you use pfctl -vvvsr you can see the rules with statistics; how many times a rule has been evaluated, the number of packets and the size of the oackets. It will also show how pf has re-ordered the rules. From https://www.openbsd.org/faq/pf/example1.html#pf : Code:
pass out quick inet pass in on { $wired $wifi } inet Code:
19 pass out quick inet 20 pass out on $wired from ($vpn:network) to any
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Hello everyone. Sorry for the long response; for almost all this time, I was trying to write rules for pf and studying articles about it. At one point, I even thought I was starting to understand. But harsh reality told me otherwise. On top of all the existing needs, I now have to install and configure tinyproxy. The setup itself isn't complicated, but guess what I ran into again?
Quote:
Quote:
Quote:
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
OpenBSD automatic disklabel allocation | J65nko | Guides | 0 | 22nd February 2016 01:50 PM |
Automatic heat shutdown. | Martillo | NetBSD General | 2 | 30th May 2015 04:45 PM |
tmux disable automatic resize | Carpetsmoker | General software and network | 7 | 25th June 2009 10:54 PM |
Automatic Mount for Devices/Filesystems | vermaden | FreeBSD General | 11 | 12th June 2008 04:55 AM |
Automatic Thread Subscription When Posting? | JMJ_coder | Feedback and Suggestions | 6 | 6th May 2008 03:20 AM |