Re: pf rule for openvpn

[Thuban]

* Predrag Punosevac <punoseva...@gmail.com> le [23-10-2016 20:18:27 -0400]:
> Op 23-10-2016 om 17:01 schreef Thuban:
> > Hi,
> > I have an openvpn server running and working, but can't
> > go "outside" the server to access the web.
> >
> > To configure the server, I followed this :
> > http://2f30.org/guides/openvpn.html
> >
> > So ip forwarding is ative, vpn port is open, clients can connect to
> the
> > vpn. But they can't access wwweb.
> >
> > I guess the problem comes from this pf rule :
> >
> >     pass out on $ext_if from 10.8.0.0/24 to any nat-to ($ext_if)
> >
> > I've been on this issue for too many hours to have a clear mind on
> this.
> > Any advice to find why I'm stuck on the server?
> >
> > Regards.
> >
> >
>
> Hi,
>
> I saw your e-mail this morning but I had no idea what to make out of it
> as I am confused about your network topology. I was also not impressed
> that you were following some howto from the internet. Both PF and
> OpenVPN are well documented. Grab the books and read it.
>

The link to the howto was to avoid long explanations. Anyway, here is
some more information. I'm pretty sure I'm wrong to redirect packets.

What I want is this :

         VPN
Clients -----> Server -----> Web

simply.

openvpn configuration :

    dev tun0
    server 10.8.0.0 255.255.255.0
    push "dhcp-option DNS 80.67.169.12"
    push "redirect-gateway def1"

    ca /etc/openvpn/certs/ca.crt
    cert /etc/openvpn/certs/server.crt
    key /etc/openvpn/private/server.key
    dh /etc/openvpn/dh.pem
    crl-verify /etc/openvpn/crl.pem

    daemon openvpn
    group _openvpn
    user _openvpn
    keepalive 10 120
    management 127.0.0.1 1195 /etc/openvpn/private/mgmt.pwd
    max-clients 100
    persist-key
    persist-tun
    port 1194
    proto udp
    comp-lzo

    client-cert-not-required
    username-as-common-name
    script-security 3 system
    auth-user-pass-verify /usr/local/libexec/openvpn_bsdauth via-env
    auth-nocache

    log-append  /var/log/openvpn/openvpn.log
    status /var/log/openvpn/openvpn-status.log
    verb 3


/etc/pf.conf :

    ext_if = "re0"                                          # interface
    ssh_port = "2222"                                       # port ssh
    http_ports = "{ www https }"                            # ports http(s)
    mail_ports = "{ submission imaps }"                     # ports mails
    tcp_pass = "{ gopher ipp 8000 }"                          # ports tcp
ouverts
    udp_pass = "{ 1194 }"                                 # ports udp ouverts
    set block-policy drop                                   # bloque
silencieusement
    set skip on lo                                          # Pas de filtre en
local
    set limit table-entries 400000

    ## tables pour les vilains bruteforceurs
    table <ssh_abuse> persist
    table <http_abuse> persist
    table <mail_abuse> persist

    # antispam avec greylisting
    table <spamd-white> persist
    table <nospamd> persist file "/etc/mail/nospamd"
    table <bgp-spamd-bypass> persist

    ## Traitement des paquets ##
    match in all scrub (no-df)                              # Paquets
partiels
    block in quick from urpf-failed

    ## Les règles du parefeu ##
    # on bloque tout par défaut
    block log all

    # on bloque les ip blacklistées
    block in log quick proto tcp from <http_abuse> to any port $http_ports
    block in log quick proto tcp from <ssh_abuse> to any port $ssh_port

    # antispam
    pass in on $ext_if proto tcp from any to any port smtp \
            divert-to 127.0.0.1 port spamd
    pass in on $ext_if proto tcp from <nospamd> to any port smtp
    pass in on $ext_if proto tcp from <spamd-white> to any port smtp
    pass in quick on $ext_if proto tcp from <bgp-spamd-bypass> to any port
smtp

    # Si + de 3 connections toutes les 60 secondes sur le port ssh
    # on rajoute l'ip pour la bloquer.
    pass in on $ext_if proto tcp to any port $ssh_port flags S/SA keep state
\
            (max-src-conn-rate 5/60, overload <ssh_abuse> flush global)

    # Si + de 50 connections toutes les 5 secondes sur les ports http(s)
    # ou si elle essaie de se connecter + de 100 fois
    # on rajoute l'ip pour la bloquer.
    pass in on $ext_if proto tcp to any port $http_ports flags S/SA keep state
\
        (max-src-conn-rate 50/5, overload <http_abuse> flush)

    # Protection bruteforce pour les mails
    pass in on $ext_if proto tcp to any port $mail_ports flags S/SA keep state
\
            (max-src-conn-rate 10/60, overload <mail_abuse> flush global)

    # on autorise le ping
    pass quick inet6 proto ipv6-icmp        all icmp6-type { echoreq, unreach
}
    pass quick inet proto icmp              all icmp-type { echoreq, unreach
}

    # on ouvre les autres ports
    pass in quick on $ext_if proto tcp to any port $tcp_pass keep state
    pass in quick on $ext_if proto udp to any port $udp_pass keep state

    # vpn
    pass out on $ext_if from 10.8.0.0/24 to any nat-to ($ext_if)

    # tout ouvert en sortie
    pass out on $ext_if proto { tcp udp icmp } all modulate state


Regards.

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]