# pf rules for OpenVPN, bridged.



## mbr661 (Feb 5, 2010)

Hello All, 

I need a little help with pf. 

I'm running FreeBSD 7.1 as a gateway, OpenVPN server, and Squid. 
OpenVPN 2.1.1 is running on bridge mode. I can connect over VPN to the server, but my clients cannot reach the network machines behind the gateway or go out to the Internet. I'm sure the problem is with my vpn rules, but I cannot figure it out. Any help will be greatly appreciated.

Thanks in advance.

My pf.conf is below:


```
int_if  = "rl1"
ext_if  = "rl0"
vpn_if  = "tap0"
vpn_net = "$vpn_if:192.168.75.200/27"

tcp_services = "{ 22 }"
udp_services = "{ 1194 }"

icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

set block-policy drop #drop silently
set loginterface $ext_if #log stats on ext_if
set skip on lo0 #skip all pf processing on lo0

scrub in all

nat on $ext_if from $int_if:network to any -> ($ext_if)

block all

block drop in quick on $ext_if from $priv_nets to any

block drop out quick on $ext_if from any to $priv_nets

pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state

pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_services keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass quick on $vpn_if

 syntax error--->pass in on $int_if from $vpn_net to any keep state
 syntax error--->pass out on $int_if from $vpn_net to any keep state

 syntax error--->pass in on $ext_if from $vpn_net to any keep state
 syntax error--->pass out on $ext_if from $vpn_net to any keep state

pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
```


----------



## mbr661 (Feb 6, 2010)

*pf rules for OpenVPN, bridged*

One more question if you please.

Once I connect via OpenVPN (bridged), the remote computer adopts an IP address from the LAN. This connection is through the Tap0 interface.

I already have a NAT rule for $int_if:network, so my local clients can reach the Internet.

Do I need a second NAT rule for the vpn clients, on the $vpn_if? 

Thanks in advance!


----------



## mbr661 (Feb 8, 2010)

*pf rules for OpenVPN, bridged*

I resolved the above issues by simply ignoring $vpn_if:

set skip on { lo0, $vpn_if }

I figure OpenVPN is secure enough that I don't need to further filter that interface with pf.

My complete pf.conf is as follows:


```
int_if  = "rl1"
ext_if  = "rl0"
vpn_if  = "tap0"
lan     = "$int_if:192.168.75.0/24"
vpn_net = "$vpn_if:<vpn_clients>"
udp_services = "{ 1194 }"
icmp_types = "echoreq"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
table <vpn_clients> persist file "/etc/pf.tables/vpn_clients"
table <emerging-threats> persist file "/usr/local/etc/IPBlocks/EmergingThreats"
set block-policy drop
set loginterface $ext_if
set skip on { lo0, $vpn_if }
scrub in all
nat on $ext_if from !($ext_if) to any -> ($ext_if)
block in log all
antispoof quick for { lo, $int_if }
block drop in log quick on $ext_if from $priv_nets to any
block drop out log quick on $ext_if from any to $priv_nets
block drop in log quick on $ext_if from <emerging-threats> to any
block drop out log quick on $ext_if from any to <emerging-threats>
pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_services keep state
pass in on $int_if inet
pass out keep state
```


----------

