Recently I had the need to get myself a VPN since I was more travelling and had to use networks with proxies that not only blocked illegal sites, but yielded timeouts on perfectly legal content. Using BSDnow‘s excellent OpenVPN tutorial I whent ahead in a breeze. But normally I use OpenVPN to connect to a remote (internal) network. This time I it needed to pass all traffic through the VPN so I could access the net ignoring local proxies.
As the tutorial mentions, adding push “redirect-gateway def1 bypass-dhcp” to the server’s openvpn.conf temporarily overrides the client-side default gateway forcing all traffic throug the VPN, that’s what I needed. Another (later on added) line was “topology subnet” since otherwise each client only gets a /32 subnet per connection which makes things a bit hairy at the next stage. tun0 on the server side then uses a /24 by default. “Large” missing piece for my use case was pf to NAT the VPN clients through the box to the internet. Here is the minimal ruleset for /etc/pf.conf I used:
ext_if = "vtnet0" vpn_if = "tun0" vpn_net = "10.8.0.0/24" nat on $ext_if from $vpn_net to any -> ($ext_if) pass in on $ext_if inet proto tcp from any to ($ext_if) port 22 pass in on $ext_if proto tcp from any to any port 1194
I had to declare vpn_net since instead of i.e. a $vpn_if:network since at boot pf doesn’t know the network tun0 uses before OpenVPN comes up. Then it just NAT’s traffic arriving from VPN network on tun0 to the external interface. The 2 other rules let me SSH to the VM and allows OpenVPN traffic.
Since this setup needs forward traffic (two) network interfaces I had to enable packet forwarding, in the end all it needed was:
# sysrc gateway_enable="YES" # sysrc pf_enable="YES" To avoid a reboot and enable forwarding right now: # sysctl net.inet.ip.forwarding=1 Start pf and restart OpenVPN # service pf start # service openvpn restart Just in case: Make sure pf.conf is really loadable # pfctl -f /etc/pf.conf
And that’s about it. It’s not a full tutorial, but just an add-on to the one over at BSDnow for those situations where you need a full tunnel for $REASON (and no, ToR isn’t always a working solution). A big thanks to the Adam McDougall, the original author and helping hand – and the BSDnow crew for their high quality content!
admin September 17, 2014
Posted In: Uncategorized