I'm adding more functionality to my firewall (OpenBSD 5.7) and have been
trying to configure PPTP VPN access for my Windows users. I have got npppd
running using the config below and can successfully authenticate and
establish a connection.
I am able to connect to the VPN from a windows PC but I can't reach the
internal hosts on the network.
I suspect I have some conflicts over my internal subnet and various pf rules.
If I remove the antispoof rule, I am able to ping the firewall on its IP and
that of the pppx0 interface (192.168.7.128)
My internal em0 is on 192.168.7.0/24 which will overlap the pppx0 interface but
I
am expecting my VPN users to appear on the same subnet. Is this valid ?
I can ping the connected client on its IP 192.168.7.118 from the firewall.
I can occasionally ping some other hosts on the internal network but this
seems somewhat random and most of the time I can't reach any hosts.
(I'm running dhcpd on this box too if that makes a difference.)
I've scanned the man pages for npppd and pf but I think I'm missing something
more fundamental. Could someone please take a quick look and see if there is
anything obvious.
Thanks in advance.
=====================================================
#cat /etc/npppd/npppd.conf
tunnel PPTP protocol pptp
ipcp IPCP {
pool-address 192.168.7.95-192.168.7.127
dns-servers 192.168.7.1 8.8.8.8
}
interface pppx0 address 192.168.7.128 ipcp IPCP
authentication LOCAL type local {
users-file "/etc/npppd/npppd-users"
}
bind tunnel from PPTP authenticated by LOCAL to pppx0
=====================================================
# ifconfig pppx0
pppx0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1400
description: jeremy
priority: 0
groups: pppx
inet 192.168.7.128 --> 192.168.7.118 netmask 0xffffffff
====================================================
# cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
# macros
int_if="em0"
ext_if="em1"
tcp_services="{ 22, 113 }"
udp_services="{ 161 }"
mail_services="{ 25, 587, 993, 995 }"
web_services="{ 80, 443 }"
vpn_pptp="{ 1723 }"
icmp_types="echoreq"
web_server = "192.168.7.77"
mail_server = "192.168.7.77"
# options
set block-policy return
set loginterface egress
set skip on lo
# FTP Proxy rules
anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to any port ftp divert-to 127.0.0.1
port 8021
# match rules
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from $int_if:network to any nat-to (egress:0)
# filter rules
block in log
pass out quick
antispoof quick for { lo $int_if }
# Allow access to services running on the firewall
pass in on egress inet proto tcp from any to (egress) port $tcp_services flags
S/SA keep state
pass in on egress inet proto udp from any to (egress) port $udp_services
# VPN Rules
pass in quick inet proto gre all
pass in log on pppx
pass in quick on egress inet proto tcp from any to (egress) port $vpn_pptp
# Redirect traffic to the interior servers
pass in on egress inet proto tcp to (egress) port $web_services rdr-to
$web_server synproxy state
pass in on egress inet proto tcp to (egress) port $mail_services rdr-to
$mail_server
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
===============================================================
