My personal laptop runs OpenBSD 6.4. I browse the web using WiFi +
openvpn client for added privacy. The default behavior of all outgoing
traffic going through VPN is generally desirable, but I need some
outgoing packets (e.g., ssh traffic) to bypass VPN--i.e., those packets
should go out via default gateway of my wireless card (athn0), not via
tun0. My machines running ssh servers connect to internet via ISP,
are not running VPN client or server, and listen on port 22022.
Back in my Linux days, I used iptables(8) to put a mark on the packets
that should bypass vpn, then used ip(8) to create a custom route for
the marked packets, like this:
iptables -t mangle -A PREROUTING -p tcp -m multiport --dport 22022 -j \
MARK --set-mark 1
ip route add table 100 $wlan0_default_gateway
ip rule add fwmark 1 table 10
Please, how do I accomplish this on OpenBSD 6.4 using pf.conf(5)?
I already tried various permutations of this:
pass out proto {tcp udp} to any port 22022 route-to athn0
and this:
pass out proto {tcp udp} to any port 22022 route-to \
$athn0_gateway
But both result in ssh authentication attempts to hang at
"debug1: Connecting to..." then timing out.
jggimi at daemonforums.org tried to help but we couldn't figure it out,
so he suggested that I ask for help here. The thread of our attempt is
here (I didn't mention that I use port 22022 instead of 22 because
I don't think it really matters):
http://daemonforums.org/showthread.php?t=10905
I can bypass VPN to reach an *individual* ssh server with this:
athn0_gateway=$(route show | grep default | awk '{print $2}')
route add $ssh_server_ip $athn0_gateway
but I'd really like to learn how to accomplish this using pf.conf(5)
so that I can bypass VPN based on destination port instead of
destination ip address, thereby having an elegant solution that works
for all ssh servers.
Please help me.
Thank you,
Bruno Dantas
