Hi Is there anyone who can help to resolve the problem i have with pppx, tun and tap using npppd and openVPN not forwarding traffic to ingress but egress works fine. It was my first post to the list and if there is any info or further details required just ask, I would appreciate any help or hints. I know I'm missing something in my config but can't find it. Thanks torsten
-----Original Message----- From: torsten [mailto:tors...@cnc-london.net] Sent: 16 December 2015 23:21 To: 'misc@openbsd.org' Subject: npppd pppx0 VPN Client can access wan but cannot access lan Hi I'm, running OpenBSD 5.8, npppd, mpath and have tried the same on 5.7 and 5.3. npppd is works fine and clients can connect using windows pptp client. The Client has the pptp connection set as default gateway and can access the internet through the vpn gateway but cannot access the LAN network. Traffic arrives on the pppx0 interface but never get forwarded to the LAN ip address. I have been looking and trying for over 2 weeks now and can't figure that one out. Setting everything to pass in pf.conf and only enabling nat - still no result. Setup: OpenBSD 5.8 with npppd using pppx0 or tun0 and pf 2 WAN interfaces equal cost routing (net.inet.ip.multipath=1), 1 LAN interface sysctl.conf net.inet.ip.forwarding=1 net.inet.ip.multipath=1 net.inet.gre.allow=1 net.pipex.enable=1 npptp.conf: set max-session 20 set user-max-session 5 authentication LOCAL type local { users-file "/etc/npppd/npppd-users" } tunnel VPN protocol pptp { listen on 0.0.0.0 } ipcp IPCP { pool-address 10.219.219.2-10.219.219.100 dns-servers 192.168.0.189 192.168.0.19 nbns-servers 192.168.0.189 192.168.0.19 } interface pppx0 address 10.219.219.1 ipcp IPCP bind tunnel from VPN authenticated by LOCAL to pppx0 pf.conf ### NAT match out log on $ext1_if from $int_net nat-to ($ext1_if) match out log on $ext2_if from $int_net nat-to ($ext2_if) ## vpn pass quick log on pppx match out log on $ext1_if from $vpn_net nat-to ($ext1_if) match out log on $ext2_if from $vpn_net nat-to ($ext2_if) match out log on $int_if from $vpn_net nat-to ($int_if) ### FILTER RULES block log quick inet6 block in log on $ext1_if block in log on $ext2_if ## allow ping, traceroute and echo pass in log inet proto icmp all icmp-type $icmp_types ## pass connections to vpn server pass log proto { gre } from any to any keep state pass in log on $ext1_if proto tcp from any to $ext1_if port 1723 pass in log on $ext2_if proto tcp from any to $ext2_if port 1723 pass in on enc0 from $vpn_net to $int_net keep state (if-bound) pass out on enc0 from $int_net to $vpn_net keep state (if-bound) pass in on pppx from $vpn_net to $int_net keep state (if-bound) pass out on pppx from $int_net to $vpn_net keep state (if-bound) netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default a.a.a.113 UGSP 0 1073494 - 8 em0 default b.b.b.97 UGSP 4 10294 - 8 em1 10.219.219.1 10.219.219.1 UHl 0 0 - 1 lo0 10.219.219.14 10.219.219.1 UH 0 679 - 8 pppx0 127/8 127.0.0.1 UGRS 0 0 32768 8 lo0 127.0.0.1 127.0.0.1 UHl 1 4 32768 1 lo0 b.b.b.96/28 b.b.b.110 UC 1 0 - 8 em1 b.b.b.97 bc:16:65:34:33:81 UHLc 1 0 - 8 em1 b.b.b.110 00:15:17:48:7b:23 HLl 0 0 - 1 lo0 b.b.b.111 b.b.b.110 UHb 0 0 - 1 em1 192.168.0/22 192.168.0.238 UC 9 0 - 8 em3 192.168.0.4 00:25:90:7c:40:cf UHLc 0 4 - 8 em3 192.168.0.5 00:30:48:7d:7c:64 UHLc 0 1 - 8 em3 192.168.0.6 00:25:90:3c:30:67 UHLc 0 2 - 8 em3 192.168.0.10 f4:6d:04:29:ea:f7 UHLc 0 4 - 8 em3 192.168.0.19 00:25:90:72:89:1a UHLc 0 8388 - 8 em3 192.168.0.189 00:30:48:d8:f0:0b UHLc 0 9661 - 8 em3 192.168.0.238 00:25:90:d0:17:10 HLl 0 0 - 1 lo0 192.168.0.253 00:25:90:af:5d:0a UHLc 0 154 - 8 em3 192.168.2.167 50:e5:49:e6:c3:3c UHLc 0 2048 - 8 em3 192.168.3.202 00:25:90:af:5d:0a UHLc 1 9329 - L 8 em3 192.168.3.255 192.168.0.238 UHb 0 0 - 1 em3 a.a.a.112/28 a.a.a.126 UC 2 0 - 8 em0 a.a.a.113 00:00:5e:00:01:0c UHLc 1 0 - 8 em0 a.a.a.116 00:25:90:af:5d:0b UHLc 2 34417 - L 8 em0 a.a.a.126 00:15:17:48:7b:22 HLl 0 0 - 1 lo0 a.a.a.127 a.a.a.126 UHb 0 0 - 1 em0 224/4 127.0.0.1 URS 0 0 32768 8 lo0