I was hoping someone more experienced than myself would chip in and help you but since I run a similar setup I'll show you my configuration. I'm not perfectly clear on your physical network layout so you have to adapt my suggestions as needed. I run my OpenVPN server on the same physical machine as my router/firewall.

Here are the needed parts from /etc/pf.conf

ext_if = "em0"
vpn_if = "tun0"

The following two rules take care of all nat:

nat on $ext_if inet proto udp from !($ext_if) to any -> ($ext_if) static-port
nat on $ext_if inet from !($ext_if) to any -> ($ext_if) port 1024:65535

The ! is a logical NOT so the rules will nat from any interface that is NOT em0 to my external interface em0. I nat udp separately to force it to keep the source and destination ports.

You need to allow inbound traffic on the OpenVPN port:

pass in quick on $ext_if proto udp from any to ($ext_if) port 1194 keep state

You also need to pass traffic on the tun interface. I trust my clients so I pass everything.

pass quick on $vpn_if all

Those are all the OpenVPN related rules I have in /etc/pf.conf. I don't run IPv6 over my OpenVPN so you need to allow for that if needed.

My OpenVPN config is short and pretty standard. I push the default gateway to my clients to force all traffic from them to actually go through the tunnel. You need to adjust your OpenVPN network address, LAN DOMAIN name and your DNS server address.

port 1194
proto udp4
dev tun0
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 192.168.169.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DOMAIN local"
push "dhcp-option DNS 192.168.69.2"
keepalive 10 120
user nobody
group nobody
persist-key
persist-tun
status /dev/null
log-append openvpn.log
verb 3

This seems to be working, except that I get some warnings in the OpenVPN
log about "PID_ERR replay-window backtrack occurred [1] [SSL-0]"

Three questions:

1. Is this error something I need to be concerned about?

I have not seen this error. Someone more knowledgable in OpenVPN need to help you here.

2. Since the router I have between the server machine and the internet has
a firewall, do I need to worry about any other rules in the pf ruleset?
(i.e. is it safe to use my modified version of the handbook example?)

Are you running OpenVPN on a separate machine behind your router/firewall? Does it too run FreeBSD? Does it have pf enabled?

If your OpenVPN server is on a machine behind the router/firewall you need an rdr rule to forward port 1194 from your router to the correct machine and the pass rule for traffic on port 1194 would need to refer to the OpenVPN server ip instead of ext_if. The pass rule for tun0 would not be needed. This is different from how I run my setup and additional configuration would be needed on the OpenVPN server itself if you have enabled pf on it.

3. I don't intend to change the server machine's IP address, so I
eliminated the "($ext_if)" and replaced it with the server's static
address. Using the ($ext_if) and running pfctl -vnf /etc/pf.conf results in
reporting "(em0) round robin" instead of the actual IP of the server. This
seems to work, but is it really necessary?

As I understand it it's helpful to people who run dynamic ip addresses on their external interfaces.

Regards
Morgan
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Reply via email to