{"id":439,"date":"2014-09-17T21:15:36","date_gmt":"2014-09-17T20:15:36","guid":{"rendered":"http:\/\/www.simweb.ch\/blog\/?p=439"},"modified":"2014-09-17T21:58:33","modified_gmt":"2014-09-17T20:58:33","slug":"bsdnow-tv-openvpn-tutorial-full-tunnel-add-on","status":"publish","type":"post","link":"https:\/\/www.simweb.ch\/blog\/2014\/09\/bsdnow-tv-openvpn-tutorial-full-tunnel-add-on\/","title":{"rendered":"BSDnow.tv OpenVPN tutorial: Full tunnel add-on"},"content":{"rendered":"<p>Recently I had the need to get myself a VPN since I was more travelling and had to use networks with proxies that not only blocked illegal sites, but yielded timeouts on perfectly legal content. Using <a href=\"http:\/\/www.bsdnow.tv\/\">BSDnow<\/a>'s\u00a0excellent\u00a0<a href=\"http:\/\/www.bsdnow.tv\/tutorials\/openvpn\">OpenVPN<\/a>\u00a0tutorial I whent ahead in a breeze. \u00a0But normally I use\u00a0OpenVPN to connect\u00a0to a remote (internal) network. This time I it needed to pass all traffic through the VPN so I could access\u00a0the net ignoring local proxies.<\/p>\n<p>As the tutorial mentions, adding\u00a0push \"redirect-gateway def1 bypass-dhcp\" to the server's openvpn.conf temporarily overrides the client-side default gateway forcing all traffic throug the VPN, that's what I needed. Another (later on added) line was \"<em>topology subnet\"<\/em>\u00a0since otherwise each client only gets a \/32 subnet per connection which makes things a bit hairy at the next stage. tun0 on the server side then uses a \/24 by default. \"Large\" missing piece for my use case was pf to NAT the VPN clients through the box to the internet. Here is the minimal ruleset for\u00a0<em>\/etc\/pf.conf <\/em>I used:<\/p>\n<pre class=\"brush: actionscript3; gutter: true; first-line: 1\">ext_if = \"vtnet0\"\r\nvpn_if = \"tun0\"\r\n\r\nvpn_net = \"10.8.0.0\/24\"\r\n\r\nnat on $ext_if from $vpn_net to any -&gt; ($ext_if)\r\npass in on $ext_if inet proto tcp from any to ($ext_if) port 22\r\npass in on $ext_if proto tcp from any to any port 1194<\/pre>\n<p>I had to declare vpn_net since instead of i.e. a $vpn_if:network since at boot pf doesn't know the network tun0 uses before OpenVPN comes up. Then it just NAT's traffic arriving from VPN network on tun0 to the external interface. The 2 other rules let me SSH to the VM and allows OpenVPN traffic.<\/p>\n<p>Since this setup needs forward traffic (two) network interfaces I had to enable packet forwarding, in the end all it needed was:<\/p>\n<pre class=\"brush: actionscript3; gutter: true; first-line: 1\"># sysrc gateway_enable=\"YES\"\r\n# sysrc pf_enable=\"YES\"\r\n\r\nTo avoid a reboot and enable forwarding right now:\r\n# sysctl net.inet.ip.forwarding=1 \r\n\r\nStart pf and restart OpenVPN\r\n# service pf start\r\n# service openvpn restart \r\n\r\nJust in case: Make sure pf.conf is really loadable\r\n# pfctl -f \/etc\/pf.conf<\/pre>\n<p>And that's about it. It's not a full tutorial, but just an add-on to the one over at BSDnow for those situations where you need a full tunnel for $REASON (and no, ToR isn't always a working solution). A big thanks to the\u00a0<a href=\"https:\/\/twitter.com\/bsdxbsdx\">Adam McDougall<\/a>, the original author and helping hand - and the <a href=\"http:\/\/www.bsdnow.tv\/\">BSDnow<\/a> crew for their high quality content!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recently I had the need to get myself a VPN since I was more travelling and had to use networks with proxies that not only blocked illegal sites, but yielded timeouts on perfectly legal content. Using BSDnow&#8217;s\u00a0excellent\u00a0OpenVPN\u00a0tutorial I whent ahead in a breeze. \u00a0But normally I use\u00a0OpenVPN to connect\u00a0to a remote (internal) network. This time &#8230; <a class=\"moretag\" href=\"https:\/\/www.simweb.ch\/blog\/2014\/09\/bsdnow-tv-openvpn-tutorial-full-tunnel-add-on\/\">more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","footnotes":""},"categories":[1],"tags":[51,36,49,50],"class_list":["post-439","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-bsdnow","tag-freebsd","tag-openvpn","tag-pf"],"_links":{"self":[{"href":"https:\/\/www.simweb.ch\/blog\/wp-json\/wp\/v2\/posts\/439","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.simweb.ch\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.simweb.ch\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.simweb.ch\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.simweb.ch\/blog\/wp-json\/wp\/v2\/comments?post=439"}],"version-history":[{"count":0,"href":"https:\/\/www.simweb.ch\/blog\/wp-json\/wp\/v2\/posts\/439\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.simweb.ch\/blog\/wp-json\/wp\/v2\/media?parent=439"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.simweb.ch\/blog\/wp-json\/wp\/v2\/categories?post=439"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.simweb.ch\/blog\/wp-json\/wp\/v2\/tags?post=439"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}