Re: Non critical but weird pf and openvpn problem

Thu, 19 Jul 2007 17:01:18 -0700

I had the same symptom, where I'd have to manually reload my pf rules after a reboot to get OpenVPN traffic to flow. Using tcpdump showed that pf was blocking all the traffic on my tun interfaces although I had a "set skip" rule for them.
I may not be completely right here, but I believe pf gets loaded before openvpn, so openvpn will not have created the interface yet. I ran into this problem here because I was trying to do "set skip on { tun0 tun1 }" so pf would ignore my vpn interfaces. However, they weren't yet created so the skip rule had no effect and pf would block all traffic on them until I reloaded the ruleset. I also had /etc/hostname.{tun0,tun1} files, both simply containing the "up" keyword. 

Anyhow, I don't have the issue any longer because I just added this rule:

pass quick on { tun0 tun1 }


That seems to be effective regardless of whether or not the interfaces 
exist when pf loads, so my OpenVPN tunnels work after reboots without 
intervention.


Regards,
Mark



Bill wrote:

On Thu, 19 Jul 2007 15:06:55 -0700
<[EMAIL PROTECTED]> spake:


  

I have the same problem.  I was going to post a this question too 
along with another question.



When I first boot up my OpenBSD 4.1 sever.  I can not access my 
OpenVPN wireless connection.  I can access ssh wirelessly though.  
So what I do is login via ssh and run pfctl -f /etc/pf.conf.  Now 
my OpenVPN connection works just fine.  I too have my startup 
script in /etc/rc.local but it is much simpler:


/usr/local/sbin/openvpn /var/openvpn/server.conf


I am curious to know why pf requires a command line start for it to 
work.
    


I have a few OpenVPN installations running and do not have this problem

with any of them.  I start my PF normally through the rc.conf.local 


pf=
pf_rules=/etc/brock.conf

My OpenVPN starts in rc.local

 echo -n ' openvpn'; /usr/local/sbin/openvpn --cd /etc/openvpn --config
server.conf --daemo

It all "just works"(TM).


Do you have a hostname.tun0 file in /etc?  


I forget if OpenVPN will create the tun0, but it could be why PF needs
to be run after in your instance.  I have simply:

UP

in this file.
























					Reply via email to