Non critical but weird pf and openvpn problem

Thu, 19 Jul 2007 01:07:23 -0700 

Hi list,

I'm having weird problem with my openvpn install and pf.
I start vpn and connect to it from client computers with no problems, but I can't access any computers on internal lan. Then I issue pfctl -f /etc/pf.conf and everything starts to work. So my rc.local script is: 
<--->
if [ X"${openvpn}" == X"YES" -a -x /usr/local/sbin/openvpn ];
       then echo -n ' openvpn';
       /usr/local/sbin/openvpn --cd /etc/openvpn --config server.conf
       sleep 10
       /sbin/pfctl -f /etc/pf.conf
fi
<--->
And everything works fine. But why do I need to reload my pf?
My server.conf is:
<--->
daemon openvpn
local xxx.xxx.xxx.xxx
port 1194
proto udp
dev tun0
tun-mtu 1500
mssfix
keepalive 10 120
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
tls-auth ta.key 0
cipher AES-256-CBC
server 192.168.5.0 255.255.255.0
push "route 192.168.0.0 255.255.255.0"
route 192.168.6.0 255.255.255.0
chroot /etc/openvpn
status /var/log/openvpn-status.log
log    /var/log/openvpn-log.log
writepid /var/run/openvpn.pid
ifconfig-pool-persist ipp.txt
replay-persist replay.txt
client-config-dir ccd
max-clients 5
user nobody
group nobody
persist-key
persist-tun
comp-lzo
verb 3
mute 10
<--->
My hostname.tun0 is:
<--->
up
<--->
My pf.conf is:
<--->
ext_if="vr0"
int_if="vr1"
admins1="xxx.xxx.xxx.xxx"
admins2="xxx.xxx.xxx.xxx"
organization_net="192.168.0.0/24"
ovpn_net="192.168.6/24"
ovpn="1194"
table <admins> { $admins1, $admins2 }  const persist
table <rfc1918> { 10/8, 172.16/12, 192.168/16 } const persist
table <bad_hosts> persist
set block-policy drop
set optimization normal
set ruleset-optimization basic
set state-policy if-bound
set loginterface $ext_if
set skip on { lo0, $int_if, tun0 }
scrub on $ext_if no-df fragment reassemble random-id
nat-anchor "ftp-proxy/*"
nat on $ext_if from $organization_net to any -> ($ext_if:0)
rdr pass on $int_if inet proto tcp to port ftp -> 127.0.0.1 port 8021
rdr-anchor "ftp-proxy/*"
block log all
block in log quick on $ext_if from any to 255.255.255.255
antispoof log quick for { lo0, $ext_if, $int_if }
anchor "ftp-proxy/*"
pass log on $ext_if inet proto icmp icmp-type unreach code needfrag
pass in log quick on $ext_if inet proto icmp from <admins> to ($ext_if) icmp-type echoreq modulate state label "icmp for admins" pass in log quick on $ext_if inet proto tcp from <admins> to ($ext_if) port ssh modulate state label "ssh for admins" pass out on $ext_if inet proto { tcp, udp, icmp } from ($ext_if) to any modulate state pass in log on $ext_if inet proto udp from any to ($ext_if) port $ovpn modulate state (max-src-conn-rate 30/10, overload <bad_hosts> flush global) 
<--->
I'm using OpenBSD 4.1 and OpenVPN openvpn-2.0.6p0.

Reply via email to