subject:"pf.conf for OpenVPN"

Re: pf.conf for OpenVPN

2013-09-21 Thread Shteryana Shopova

Hi,

On Fri, Sep 20, 2013 at 9:06 AM, Carsten Larsen  wrote:

> On 09/17/2013 19:25, Predrag Punosevac wrote:
>
>> Internet (128.xxx)   OpenVPN clients (VPN network 10.8.0.xxx)
>>
>>  The subnet mask for private addresses seems odd. With the /8 mask you
> have specified a class A network. Take a look at this table:
> http://en.wikipedia.org/wiki/**Classless_Inter-Domain_**
> Routing#IPv4_CIDR_blocks
>
> etc.
>
> weird indeed

>
>  1. Right now I pass UDP packets on ext_if port 1194 to allow VPN clients
>> to connect to server. Is that correct? Is there more restricitve way
>> of doing this.
>>
>>  As restrictive as it gets.
>
> correct

>
>  2. I would like to filter traffic coming and going from 10.8.0.xxx.
>> Do I write separate rules for tun0 interface?
>>
>>  Yes.
>
>
sort of

>  3. Do I use rdr to allow OpenVPN clients from VPN network 10.8.0.xxx
>> to reach my internal network (192.168.2.xxx)? I would like VPN clients
>> to have the same access to my HPC clusters, DNS etc as my desktops
>> behind PF.
>>
>>
It's slightly more complicated than that. Here's an example -

pass in quick on $int_if from $lan_net to $lan_ip rdr-to $vpn_if:network:0
pass out quick on $int_if to $lan_net received-on $vpn_if nat-to $int_if

In short, that will match ANY already decrypted traffic coming from the
OpenVPN clients on tun0, create state, translate the source IP from the
OpenVPN client's OpenVPNSubnet one to the IP of the LAN interface, and send
it out the LAN interface. The replies from the hosts on the LAN network
will match the above created state and will be redirected to $vpn_if (tun0
in your case) - the OpenVPN server handles it from there. The OpenVPN
clients need to know the proper route to the LAN network - one way to do it
is inject a static route in the client's routing table by adding the
following line to the OpenVPN server config -

push "route 192.168.2.0 255.255.255.0"

In case policy towards VPN clients needs to be more restrictive - here's
another example -

pass in quick on $int_if proto tcp from $lan_net to $lan_ip rdr-to
$vpn_if:network:0
pass in quick on $int_if proto icmp from $lan_net to $lan_ip rdr-to
$vpn_if:network:0
pass out quick on $int_if proto tcp to $lan_net received-on $vpn_if nat-to
$int_if
pass out quick on $int_if proto icmp to $lan_net received-on $vpn_if nat-to
$int_if
block out quick on $int_if from $OpenVPNSubnet to any

Obviously this will forward only TCP and ICMP (ssh, ping etc)  and drop
anything else (UDP - traceroute, etc) from the OpenVPN clients.

 I would suggest either to use the same subnet as for the other machines,
> 192.168.2.0/24 I suppose, or to edit the config files of services to
> allow access from 10.8.0.0/16.
>

I seriously doubt any of these will work or is feasible .

cheers,
Shteryana

Re: pf.conf for OpenVPN

2013-09-19 Thread Carsten Larsen


On 09/17/2013 19:25, Predrag Punosevac wrote:

Internet (128.xxx)   OpenVPN clients (VPN network 10.8.0.xxx)
  |Also Public 128.xxx addresses
  ||
  ||
 --
|
   ext_if/tun0 (128.0.0.1/10.8.0.1)
   |
  Firewall/VPN Gateway (OpenBSD 5.4)
|
   |
int_if (192.168.2.1)
   |
   - Switch --- DNS/LDAP/FileServer (192.168.2.32/8)
  ||
  ||
   |- other desktops (192.168.2.64/8)
   |   |
   SSH Gateway (192.168.2.200)HPC machines on  (192.168.2.128/8)


The subnet mask for private addresses seems odd. With the /8 mask you 
have specified a class A network. Take a look at this table:

http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#IPv4_CIDR_blocks

etc.


1. Right now I pass UDP packets on ext_if port 1194 to allow VPN clients
to connect to server. Is that correct? Is there more restricitve way
of doing this.


As restrictive as it gets.


2. I would like to filter traffic coming and going from 10.8.0.xxx.
Do I write separate rules for tun0 interface?


Yes.


3. Do I use rdr to allow OpenVPN clients from VPN network 10.8.0.xxx
to reach my internal network (192.168.2.xxx)? I would like VPN clients
to have the same access to my HPC clusters, DNS etc as my desktops
behind PF.

I would suggest either to use the same subnet as for the other machines, 
192.168.2.0/24 I suppose, or to edit the config files of services to 
allow access from 10.8.0.0/16.



Thank you so much for you help.
Predrag

pf.conf for OpenVPN

2013-09-17 Thread Predrag Punosevac

Dear All,

I am still working on OpenVPN gateway for my Lab. As of now I have
everything fully functional and I am trying now to tide up PF rules. 

My network topology roughly looks like this

Internet (128.xxx)   OpenVPN clients (VPN network 10.8.0.xxx)
 | Also Public 128.xxx addresses  
 ||
 ||
 --
   |
   ext_if/tun0 (128.0.0.1/10.8.0.1)
   |
 Firewall/VPN Gateway (OpenBSD 5.4)
   |
   |
int_if (192.168.2.1)
   |
  - Switch --- DNS/LDAP/FileServer (192.168.2.32/8)
  ||
  ||   
  |- other desktops (192.168.2.64/8)
  |   |
  SSH Gateway (192.168.2.200)HPC machines on  (192.168.2.128/8)


Following PF FAQ, Peter's book of PF and Absolute OpenBSD 2nd edition I
had no troubles writing rules which filter trafic on ext_if as well as
int_if. Clients behind  Firewall can access selected internet services
(ssh, SMTP,www). A random machine which tries to reach my internal
network via SSH gets redirected to SSH gateway machine. 

Since I have no experience managing OpenVPNs I have questions about
VPN network (10.8.0.xxx)

1. Right now I pass UDP packets on ext_if port 1194 to allow VPN clients
to connect to server. Is that correct? Is there more restricitve way
of doing this.

2. I would like to filter traffic coming and going from 10.8.0.xxx. 
Do I write separate rules for tun0 interface? 

3. Do I use rdr to allow OpenVPN clients from VPN network 10.8.0.xxx
to reach my internal network (192.168.2.xxx)? I would like VPN clients 
to have the same access to my HPC clusters, DNS etc as my desktops
behind PF.

Thank you so much for you help.
Predrag

Re: pf.conf for OpenVPN

Re: pf.conf for OpenVPN

pf.conf for OpenVPN

3 matches

Site Navigation

Mail list logo

Footer information