# OpenVPN + pf (FreeBSD 7.4) packets



## Fireball (Feb 16, 2012)

Hello,

I am adjusting OpenVPN on FreeBSD 7.4 gateway. There are two external interfaces: fxp0 (ISP1), fxp1 (ISP2) and internal age0 (LAN).

OpenVPN is not working on clients. On Windows I'm getting messages:

```
Thu Feb 16 21:22:26 2012 Re-using SSL/TLS context
Thu Feb 16 21:22:26 2012 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:
0 EL:0 ]
Thu Feb 16 21:22:26 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Feb 16 21:22:26 2012 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0
EL:0 ]
Thu Feb 16 21:22:26 2012 Local Options hash (VER=V4): '3514370b'
Thu Feb 16 21:22:26 2012 Expected Remote Options hash (VER=V4): '239669a8'
Thu Feb 16 21:22:26 2012 UDPv4 link local: [undef]
Thu Feb 16 21:22:26 2012 UDPv4 link remote: 193.239.243.29:5061
Thu Feb 16 21:23:26 2012 TLS Error: TLS key negotiation failed to occur within 6
0 seconds (check your network connectivity)
Thu Feb 16 21:23:26 2012 TLS Error: TLS handshake failed
Thu Feb 16 21:23:26 2012 TCP/UDP: Closing socket
Thu Feb 16 21:23:26 2012 SIGUSR1[soft,tls-error] received, process restarting
Thu Feb 16 21:23:26 2012 Restart pause, 2 second(s)
Thu Feb 16 21:23:28 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or hig
her to call user-defined scripts or executables
```

I find out with tcpdump on server that if UDP is used, then despite of pf configuration packets comes to one interface from client and goes away from server to client through another interface (which corresponding defaultrouter)

If TCP is used then in Windows I get these messages:

```
Thu Feb 16 21:38:52 2012 TCP: connect to 193.239.243.29:5061 failed, will try ag
ain in 5 seconds: Connection refused (WSAECONNREFUSED)
```

*tcpdump -n -e -ttt -i pflog0* gives the following: 


```
# tcpdump -n -e -ttt -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes
000000 rule 0/0(match): pass in on fxp0: 188.123.231.19.13509 > 192.168.1.2.5061: [|tcp]
000018 rule 0/0(match): pass out on fxp1: 192.168.1.2.5061 > 188.123.231.19.13509: [|tcp]
000004 rule 0/0(match): pass out on fxp0: 192.168.1.2.5061 > 188.123.231.19.13509:  tcp 20 [bad hdr length 0 - too short, < 20]
506045 rule 0/0(match): pass in on fxp0: 188.123.231.19.13509 > 192.168.1.2.5061: [|tcp]
000013 rule 0/0(match): pass out on fxp1: 192.168.1.2.5061 > 188.123.231.19.13509: [|tcp]
000004 rule 0/0(match): pass out on fxp0: 192.168.1.2.5061 > 188.123.231.19.13509: [|tcp]
505661 rule 0/0(match): pass in on fxp0: 188.123.231.19.13509 > 192.168.1.2.5061: [|tcp]
000008 rule 0/0(match): pass out on fxp1: 192.168.1.2.5061 > 188.123.231.19.13509: [|tcp]
000002 rule 0/0(match): pass out on fxp0: 192.168.1.2.5061 > 188.123.231.19.13509:  tcp 20 [bad hdr length 0 - too short, < 20]
1. 473774 rule 2/0(match): pass in on fxp1: 91.197.11.253.58382 > 192.168.2.2.143: [|tcp]
000120 rule 2/0(match): pass out on fxp1: 192.168.2.2.143 > 91.197.11.253.58382: [|tcp]
179786 rule 2/0(match): pass in on fxp1: 91.197.11.253.58382 > 192.168.2.2.143: [|tcp]
000227 rule 2/0(match): pass out on fxp1: 192.168.2.2.143 > 91.197.11.253.58382: [|tcp]
105192 rule 2/0(match): pass in on fxp1: 91.197.11.253.58382 > 192.168.2.2.143: [|tcp]
000554 rule 2/0(match): pass out on fxp1: 192.168.2.2.143 > 91.197.11.253.58382: [|tcp]
254038 rule 2/0(match): pass in on fxp1: 91.197.11.253.58382 > 192.168.2.2.143:  tcp 20 [bad hdr length 0 - too short, < 20]
590182 rule 2/0(match): pass in on fxp1: 91.197.11.253.58382 > 192.168.2.2.143: [|tcp]
000785 rule 2/0(match): pass out on fxp1: 192.168.2.2.143 > 91.197.11.253.58382: [|tcp]
214270 rule 2/0(match): pass in on fxp1: 91.197.11.253.58382 > 192.168.2.2.143: [|tcp]
2. 202411 rule 0/0(match): pass in on fxp0: 188.123.231.19.14292 > 192.168.1.2.5061: [|tcp]
000020 rule 0/0(match): pass out on fxp1: 192.168.1.2.5061 > 188.123.231.19.14292: [|tcp]
000004 rule 0/0(match): pass out on fxp0: 192.168.1.2.5061 > 188.123.231.19.14292: [|tcp]
510680 rule 0/0(match): pass in on fxp0: 188.123.231.19.14292 > 192.168.1.2.5061: [|tcp]
000011 rule 0/0(match): pass out on fxp1: 192.168.1.2.5061 > 188.123.231.19.14292: [|tcp]
000003 rule 0/0(match): pass out on fxp0: 192.168.1.2.5061 > 188.123.231.19.14292: [|tcp]
503140 rule 0/0(match): pass in on fxp0: 188.123.231.19.14292 > 192.168.1.2.5061: [|tcp]
000008 rule 0/0(match): pass out on fxp1: 192.168.1.2.5061 > 188.123.231.19.14292: [|tcp]
000003 rule 0/0(match): pass out on fxp0: 192.168.1.2.5061 > 188.123.231.19.14292: [|tcp]
```

where 192.168.1.2 - server's IP (server is located in DMZ, therefore IP is gray). I am connecting through this IP, which corresponds to ISP1,
fxp0 - interface for ISP1

192.168.2.2 - server's IP, and corresponding to ISP2, 192.168.2.1 - defaultrouter
fxp1 - interface corresponding to ISP2,
I'm confused by lines

```
000018 rule 0/0(match): pass out on fxp1: 192.168.1.2.5061 > 188.123.231.19.13509: [|tcp]
```
because I connect to fxp0, not fxp1.

pf.conf

```
set state-policy if-bound

rdr on age0 proto tcp from any to 192.168.0.1 port 2525 -> 192.168.0.1 port 25

#It is for NAT (VPN)
nat on fxp0 from 192.168.3.0/24 to any -> 192.168.1.2/32
nat on fxp1 from 192.168.3.0/24 to any -> 192.168.2.2/32

#NAT
nat on fxp0 from 192.168.0.0/24 to any -> 192.168.1.2/32
nat on fxp1 from 192.168.0.0/24 to any -> 192.168.2.2/32

 pass in log (all) quick on fxp0 \
    reply-to ( fxp0 192.168.1.1 ) \
    inet proto tcp from any to any port 5061 \
    keep state ( floating )

 pass in log (all) quick on fxp1 \
    reply-to ( fxp1 192.168.2.1 ) \
    inet proto tcp  from any to any port 5061\
    keep state ( floating )

 pass in log (all) quick on fxp0 \
         reply-to ( fxp0 192.168.1.1 ) \
         inet proto tcp from !192.168.0.0/24 to any \
         keep state ( floating )
 
 pass in log (all) quick on fxp1 \
         reply-to ( fxp1 192.168.2.1 ) \
         inet proto tcp from !192.168.0.0/24  to any \
         keep state ( floating )
```

openvpn.conf

```
port 5061
proto tcp
dev tun
mode server
mtu-test
tls-server
ca keys/ca.crt
cert keys/server.crt
key keys/server.key  # This file should be kept secret
dh keys/dh1024.pem

;tls-cipher DHE-RSA-AES256-SHA

server 192.168.3.0 255.255.255.0

push "route 192.168.0.0 255.255.255.0"
#route 192.168.0.0 255.255.255.0
#ifconfig-pool-persist ipp.txt

#client-config-dir ccd

;push "redirect-gateway"
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"

;client-to-client

;duplicate-cn

keepalive 2 8

;tls-auth ta.key 0 # This file is secret

cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES

#comp-lzo

max-clients 20

user nobody
group nobody

persist-key
persist-tun


status /var/log/openvpn-status.log
log   /var/log/openvpn.log

verb 3

mute 20
```

If I set UDP port in configuration, and try connect through interface, which corresponding to defaultrouter in server, than all works, but I need to connect through another interface. I think that problem give rise to in configuration of pf, since in some cases openvpn works.

Could you help me to tune openvpn and pf?


----------



## Fireball (Mar 12, 2012)

I've added directive listen in openvpn.conf and it works!


----------

