Hi All
Im a linux user making the switch to freebsd,
got everything set up except for one last thing
Im trying to set up a split route with openvpn and the pf firewall
I did read the freebsd manual and a couple of books about pf and googled before posting
I have linux up and down scripts for openvpn to add create a split route,
so im just trying to work out the equivilant freebsd commands
* first i create a routing table called tunnel on linux with this command
* i think this would be the equivialnt freebsd command to create routing table called tunnel
i start openvpn with the following command with up and down scripts
* openvpn linux up script
* openvpn linux down script
* pf config
if anyone has the time to help a bsd noob make the switch from linux,
i just need a nudge in the right direction trying to figure out how to create up and down scripts for openvpn,
to create a split tunnel
any tips or feedback on pf.conf welcome
quick note on my set up
mac book 11 inch 2011, efi boot with full disk encryption
running freebsd 11 with i3wm window manager, unbound dns adblocking and pf with emerging threats
sorry in advance for any bsd or forum noob errors
Im a linux user making the switch to freebsd,
got everything set up except for one last thing
Im trying to set up a split route with openvpn and the pf firewall
I did read the freebsd manual and a couple of books about pf and googled before posting
I have linux up and down scripts for openvpn to add create a split route,
so im just trying to work out the equivilant freebsd commands
* first i create a routing table called tunnel on linux with this command
sudo echo 200 tunnel >> /etc/iproute2/rt_tables
* i think this would be the equivialnt freebsd command to create routing table called tunnel
sudo pfctl -t tunnel
i start openvpn with the following command with up and down scripts
sudo openvpn --auth-nocache --route-nopull --script-security 2 --up /home/username/bin/openvpn-up --down /home/username/bin/openvpn-down --config openvpn.ovpn
* openvpn linux up script
Code:
#!/usr/bin/env bash
# openvpn-up.sh
# create vpn route
ip rule add from "$ifconfig_local" table tunnel
ip route add table tunnel default via "$ifconfig_remote"
ip route add table tunnel "$ifconfig_remote" via "$ifconfig_local" dev "$dev"
* openvpn linux down script
Code:
#!/usr/bin/env bash
# openvpn-down
# delete vpn route
ip rule delete from "$ifconfig_local" table tunnel
ip route flush table tunnel
* pf config
Code:
# network interface
int_if="{ bge0 }" # thunderbolt to ethernet adaptor
vpn_if="tun0" # vpn interface
# local network
localnet="$int_if:network"
# bogon networks
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \
203.0.113.0/24 }
# Macros to define the set of TCP and UDP ports to open.
# Add additional ports or ranges separated by commas.
# 6881, 6882 = rtorrent. 22000, 21025 = syncthing
tcp_services = "{ ntp, 6881, 22000 }"
udp_services = "{ ntp, 6882, 21025 }"
# If you block all ICMP requests you will break things like path MTU
# discovery. These macros define allowed ICMP types.
icmp_types = "{ echoreq, unreach }"
# Modulate the initial sequence number of TCP packets.
# Broken operating systems sometimes don't randomize this number,
# making it guessable.
tcp_state="flags S/SA keep state"
udp_state="keep state"
# Don't send rejections. Just drop.
set block-policy drop
set fingerprints "/etc/pf.os"
# scrub packets
scrub in all
scrub in all fragment reassemble no-df max-mss 1440
# block ipv6
block return out quick inet6 all
block in quick inet6 all
# block bogon networks
block in quick from { no-route urpf-failed } to any
block in quick from <martians> to any
block return out quick from any to <martians>
block in all
# antispoof
antispoof quick for lo0
antispoof quick for $int_if
antispoof quick for $vpn_if
# dont block localhost
set skip on lo0
# allow ICMP
pass inet proto icmp all icmp-type $icmp_types keep state
# allow out bound traffic
pass out quick modulate state
# Allow the services defined in the macros at the top of the file
pass inet proto tcp from any to any port $tcp_services $tcp_state
pass inet proto udp from any to any port $udp_services $udp_state
# emerging threats - anchor
anchor "emerging-threats"
load anchor "emerging-threats" from "/etc/pf.anchors/emerging-threats"
# openvpn - anchor - maybe needed
#anchor "openvpn"
#load anchor "openvpn" from "/etc/pf.anchors/openvpn"
if anyone has the time to help a bsd noob make the switch from linux,
i just need a nudge in the right direction trying to figure out how to create up and down scripts for openvpn,
to create a split tunnel
any tips or feedback on pf.conf welcome
quick note on my set up
mac book 11 inch 2011, efi boot with full disk encryption
running freebsd 11 with i3wm window manager, unbound dns adblocking and pf with emerging threats
sorry in advance for any bsd or forum noob errors