From owner-freebsd-questions@FreeBSD.ORG Tue Jan 20 12:18:36 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DA697DCB for ; Tue, 20 Jan 2015 12:18:35 +0000 (UTC) Received: from nikki.convalesco.org (convalesco.org [IPv6:2a01:7c8:aab0:264::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4C19E6AF for ; Tue, 20 Jan 2015 12:18:35 +0000 (UTC) Received: from hilbert.lan (130.43.124.168.dsl.dyn.forthnet.gr [130.43.124.168]); by nikki.convalesco.org (OpenSMTPD) with ESMTPSA id e23c83f6; TLS version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO; Tue, 20 Jan 2015 13:18:29 +0100 (CET) Subject: Re: A way to load PF rules at startup using OpenVPN Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) Content-Type: multipart/signed; boundary="Apple-Mail=_B54CF411-D952-47FF-B9B4-C2322620D6F3"; protocol="application/pgp-signature"; micalg=pgp-sha1 X-Pgp-Agent: GPGMail 2.5b4 From: Panagiotis Atmatzidis In-Reply-To: Date: Tue, 20 Jan 2015 14:18:28 +0200 Message-Id: References: <20150120101144.735f0b67@helium> To: FreeBSD Questions X-Mailer: Apple Mail (2.1993) X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: Maciej Suszko X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jan 2015 12:18:36 -0000 --Apple-Mail=_B54CF411-D952-47FF-B9B4-C2322620D6F3 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hello, Thanks for the replies > On 20 Jan 2015, at 11:16, krad > wrote: >=20 > put this in your rc conf it may help >=20 > cloned_interfaces=3D=E2=80=9Ctun0" That didn=E2=80=99t work either. Although the interface was created, = still =E2=80=98pf=E2=80=99 was not able to start when I just created = tun0 without starting OpenVPN. I=E2=80=99m not sure if this problem can be reproduced elsewhere. I = never had such issues with Linux iptables for example and googling = around for a 2 days I didn=E2=80=99t find anyone else having the same = issue on any system, which is weird, because I=E2=80=99m sure that there are many = *BSD + OpenVPN deployments. >=20 > that will create the interface early on way before openvpn is spawned. = You > may need to force openvpn to use tun0 as it might try to create tun1 >=20 > On 20 January 2015 at 09:11, Maciej Suszko > wrote: >=20 >> On Mon, 19 Jan 2015 18:53:40 +0200 >> Panagiotis Atmatzidis > wrote: >>=20 >> [...] >>=20 >>> I think that this has something to do with =E2=80=98tun0=E2=80=99 = interface which is >>> the last thing that is loaded at boot. Probably PF runs before this, >>> sees rules that it doesn=E2=80=99t understand (related to tun0) and = comes up >>> short, then tun0 is loaded but it=E2=80=99s too late. >>=20 >> That's simple to test, just destroy your tun device and check the >> output of: >>=20 >> # pfctl -nvf /etc/pf.conf >> -- >> regards, Maciej Suszko. >>=20 > _______________________________________________ > freebsd-questions@freebsd.org = mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions = > To unsubscribe, send any mail to = "freebsd-questions-unsubscribe@freebsd.org = " I resolved the issue by creating a devd conf file: $ cat /etc/devd/tun.conf # Run PF when tun0 is up notify 0 { match "system" "IFNET"; match "subsystem" "tun0"; match "type" "LINK_UP"; action "/etc/rc.d/pf start"; }; This file makes sure =E2=80=98pf=E2=80=99 is executed right after = =E2=80=98tun0=E2=80=99 interface is UP, which happens at boot anyway = since openvpn is started by =E2=80=98rc.conf=E2=80=99. You need have = =E2=80=98pf=E2=80=99 enabled in =E2=80=98rc.conf=E2=80=99 of course. It works fine now on every reboot :-) Thanks guys! ps. A nice fella on #freeBSD@Freenode w/ nickname =E2=80=98frogs=E2=80=99 = helped me with devd debugging. Panagiotis (atmosx) Atmatzidis email: atma@convalesco.org URL: http://www.convalesco.org GnuPG ID: 0x1A7BFEC5 gpg --keyserver pgp.mit.edu --recv-keys 1A7BFEC5 "As you set out for Ithaca, hope the voyage is a long one, full of = adventure, full of discovery [...]" - C. P. Cavafy --Apple-Mail=_B54CF411-D952-47FF-B9B4-C2322620D6F3 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: Public Key Encryption iQIcBAEBAgAGBQJUvkeUAAoJEPy01a8ae/7F/e8P/im99hfh5uVrgYCzKcFQ10OG uUkq6Lb86KAf1J5cTp7jJ6zSZRHj7sK4ILVEtmrCwLkJGNO9/9jt9UizNbZprF32 KbNbrhUoG1O/3KUNhq/nn1xs4d6gcG+K+BRU2WDu7rxMZWkBwFB0Z0SCrbG2N5D1 Dd6MbKVQCssqp4CcWpzK2/5y7ifDeQZhKkTkjK8sJfnkBV1dWXnhkGRCKxMmkNwS pTxWavZAdyPbDQZmI1TfuNtZR2ge92R8PfhpPUiCQx6zhHlSUoEr1pOwdVSh2myb pXdP3p3xB1ZvHFNEVfPRGVPXRn0ScP/mLCEPIWaBGp5gxqCOk/QN+bGTHwG/oxw/ ccWP7ghuDcTu04zBD1uvXyofM/5M2EtUSHzVTgcs72wHSga7nnrdzJO1iukkSq92 MwfbbRSs727TxwepjrjvqezOh5XzvxpgPYIvS8AB4tZdIjvES6ShY4UJfl7hBN9M 2h49tM9ZSQpBgPbx0MBbDBa56orxK65KTB4aNHWQAVDKmxpPJ39/KsqyWsXiFSbM FF/CHnY8VGIiufLDdvrr4Gnxez0lYWvvoHxx7ZqO36NclD1rP59C4VAzMB70dcK0 mqt+qDVmZEfMucwjujBuyXtNEeq9uL0O6n+yMTeyWsRCM1Os2P/kB7yT2v1iIoTz 7O2SugLnn7qYH2sWbqVm =rPVf -----END PGP SIGNATURE----- --Apple-Mail=_B54CF411-D952-47FF-B9B4-C2322620D6F3--