# OpenVPN and PF



## Fatman (Jan 3, 2009)

Hi everyone,

I have been trying to setup OpenVPN for weeks now and I am at a point where I'm a little confused why I can't ping a computer on the network. Here's my setup:

PC->internet-> FW -> OpenVPN with PF -> Linksys Router -> Network

Some Background Info
OpenVPN ExtNIC: 172.16.0.200
OpenVPN IntNIC: 192.168.20.200

Linksys Router network: 192.168.20.0/24
Linksys Internal Port 4 Connected To OpenVPN on IntNIC

Pf.conf for OPENVPN Box
ext_if="fxp0"
int_if="rl0"
vpn_if="tun0"

set skip on lo
scrub in

nat on $ext_if from !($ext_if) -> ($ext_if)

block in log

pass out keep state
pass quick on $int_if no state
pass in on $vpn_if keep state
pass in on $ext_if proto udp to ($ext_if) port 1194
pass out proto icmp keep state
pass in  proto icmp keep state
pass in on $ext_if proto tcp to ($ext_if) port ssh

I can establish the VPN connection without any problems.
My tun0 interface is assigned an IP:

tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff

The 192.168.20.0\24 network gets pushed to my winblows box:
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1   192.168.1.101       25
         10.8.0.1  255.255.255.255        10.8.0.13       10.8.0.14       1
        10.8.0.12  255.255.255.252        10.8.0.14       10.8.0.14       30
        10.8.0.14  255.255.255.255        127.0.0.1       127.0.0.1       30
   10.255.255.255  255.255.255.255        10.8.0.14       10.8.0.14       30
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0    192.168.1.101   192.168.1.101       25
    192.168.1.101  255.255.255.255        127.0.0.1       127.0.0.1       25
    192.168.1.255  255.255.255.255    192.168.1.101   192.168.1.101       25
     192.168.20.0    255.255.255.0        10.8.0.13       10.8.0.14       1
        224.0.0.0        240.0.0.0        10.8.0.14       10.8.0.14       30
        224.0.0.0        240.0.0.0    192.168.1.101   192.168.1.101       25
  255.255.255.255  255.255.255.255        10.8.0.14               2       1
  255.255.255.255  255.255.255.255        10.8.0.14       10.8.0.14       1
  255.255.255.255  255.255.255.255    192.168.1.101   192.168.1.101       1
Default Gateway:       192.168.1.1

From Windows, I can ping the OpenVPN IntNIC and the IP of the Linksys Router (192.168.20.1). This is where I'm stumped. I can't ping my rdp server (192.168.20.101). 

My OpenVPN can ping any address in the 192.168.20.0/24 net. I'm guessing I'm missing a rule or a static route somewhere but I just can't figure it out.

I'm sorry for this large posting and hoping someone can point out my mistake.

Sincerely,

Fatman


----------



## Fatman (Jan 3, 2009)

I figured it out with the help of logical thinking and tcpdump. With my connection established, I used ping -t [ip of rdp server] from my Windows box and used tcpdump to follow the traffic.

On tun0, I saw:
# tcpdump -n -i tun0 not port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type NULL (BSD loopback), capture size 96 bytes
10:49:53.800375 IP 10.8.0.14 > 192.168.20.101: ICMP echo request, id 1024, seq 8449, length 40

On rl0, I saw:
10:52:25.939253 IP 10.8.0.14 > 192.168.20.101: ICMP echo request, id 1024, seq 47361, length 40

This lead me to believe that I required a static route on the linksys router. I added 10.8.0.0/24 via 192.168.20.200 and voila, everything worked.

Now it's time for me to go over my pf rules and read up more about OpenVPN to understand the inner workings. I hope this was informative to some.

Later,

Fatman


----------

