On 09/17/2013 19:25, Predrag Punosevac wrote:
Internet (128.xxx) OpenVPN clients (VPN network 10.8.0.xxx)
| Also Public 128.xxx addresses
| |
| |
------------------------------
|
ext_if/tun0 (128.0.0.1/10.8.0.1)
|
Firewall/VPN Gateway (OpenBSD 5.4)
|
|
int_if (192.168.2.1)
|
----- Switch --- DNS/LDAP/FileServer (192.168.2.32/8)
| |
| |
| ------------- other desktops (192.168.2.64/8)
| |
SSH Gateway (192.168.2.200) HPC machines on (192.168.2.128/8)
The subnet mask for private addresses seems odd. With the /8 mask you
have specified a class A network. Take a look at this table:
http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#IPv4_CIDR_blocks
etc.
1. Right now I pass UDP packets on ext_if port 1194 to allow VPN clients
to connect to server. Is that correct? Is there more restricitve way
of doing this.
As restrictive as it gets.
2. I would like to filter traffic coming and going from 10.8.0.xxx.
Do I write separate rules for tun0 interface?
Yes.
3. Do I use rdr to allow OpenVPN clients from VPN network 10.8.0.xxx
to reach my internal network (192.168.2.xxx)? I would like VPN clients
to have the same access to my HPC clusters, DNS etc as my desktops
behind PF.
I would suggest either to use the same subnet as for the other machines,
192.168.2.0/24 I suppose, or to edit the config files of services to
allow access from 10.8.0.0/16.
Thank you so much for you help.
Predrag
