From owner-freebsd-questions@freebsd.org Mon Aug 28 03:02:06 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 349DCE042EC for ; Mon, 28 Aug 2017 03:02:06 +0000 (UTC) (envelope-from edgar@pettijohn-web.com) Received: from mail.pettijohn-web.com (pettijohn-web.com [108.61.222.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.pettijohn-web.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0DF6E6653F for ; Mon, 28 Aug 2017 03:02:05 +0000 (UTC) (envelope-from edgar@pettijohn-web.com) Received: from FreeBSD (mobile-107-92-56-96.mycingular.net [107.92.56.96]) by mail.pettijohn-web.com (OpenSMTPD) with ESMTPSA id 8ce77098 TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO; Sun, 27 Aug 2017 22:02:02 -0500 (CDT) Date: Sun, 27 Aug 2017 22:01:57 -0500 From: Edgar Pettijohn To: Fongaboo Cc: FreeBSD Mailing List , Ian Smith Subject: Re: STUMPED: Setting up OpenVPN server on FreeBSD (self.freebsd) Message-ID: <20170828030151.GB47551@FreeBSD> References: <20170827164229.W23641@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.8.3 (2017-05-23) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Aug 2017 03:02:06 -0000 On Sun, Aug 27, 2017 at 10:00:28PM -0400, Fongaboo wrote: > > Thanks so much, Ian. I feel like I'm getting closer. But still no luck. > > Would you be up for double-checking my work? rc.conf/pf.conf/openvpn.conf attached... > > > Do you think I need to add those new dev statements to the client's OpenVPN config as well? > > > Also, sanity check: If I am attempting to browse by IP to http://176.58.123.25then I can eliminate any problem with the right DNS servers getting pushed. > > > Also want to note that my client can browse to http://10.8.0.1 and see my apache server's default index. > > > On Sun, 27 Aug 2017, Ultima wrote: > > > From pf.conf: > > >??pass from { lo0, $localnet } to any keep state > > This rule would probably work if it was in proper order and contain > > "quick". It should also be in the??--- INCOMING --- section. > > Normally pf will warn when the rules are out of order. lo0 should > > be removed as it has set skip, and I would change it to pass in. > > To sum it up: > > > > pf.conf: > > pass in quick from $localnet to any keep state > > > > Moved to the incoming section. > > > > The main issue is that the bottom default rule "block log all" > > triumphs over any rule defined above that does not contain the > > "quick" declaration. > > > > From rc.conf: > > #gateway_enable="YES" > > This should be uncommented. When you use openvpn with this > > kind of configuration. I would check sysctl??net.inet.ip.forwarding > > and make sure it is "1" which is essentially what gateway_enable > > does. > > > > In general I suggest changing a couple other things if you want the > > system to work after each restart. I find that??relying on the > > :network > > translation in pf often can break things and is better to be hard > > coded where possible. It is also better to create the interface in > > rc.conf and give openvpn the interface instead of letting openvpn > > take care of all that. This can be done like so: > > > > rc.conf: > > cloned_interfaces="tun0" > > ifconfig_tun0="up" # This is probably not needed, but better to be > > safe. > > > > openvpn.conf: > > dev tun0 # I don't think this is needed with the below, but I > > prefer to be??thorough > > dev-type tun > > dev-node /dev/tun0 > > > > > As for this thread in general, it'd be really nice if people > > would not > > > re-re-quote long messages > > > > Apologies Ian, It is easy to forget about when gmail truncates the > > bottom bit. > > > > > > Hope this helps, > > Richard Gallamore > > > > > ec2_configinit_enable=YES > ec2_fetchkey_enable=YES > ec2_ephemeralswap_enable=YES > ec2_loghostkey_enable=YES > firstboot_freebsd_update_enable=YES > firstboot_pkgs_enable=YES > growfs_enable="YES" > ifconfig_DEFAULT="SYNCDHCP" > sshd_enable="YES" > firstboot_pkgs_list="awscli" > > hostname="my-server-hostname.domain.tld" > > # OpenVPN Gateway Interfaces > cloned_interfaces="tun0" > ifconfig_tun0="up" > > ntpd_enable="YES" > # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable > dumpdev="AUTO" > > #enable inetd for ytalk > inetd_enable="YES" > > #enable firewall > #firewall_enable="YES" > #firewall_script="/usr/local/etc/ipfw.rules" > #firewall_type="open" > #firewall_nat_enable="YES" > > #enable pf > pf_enable="YES" > pf_rules="/etc/pf.conf" > pflog_enable="YES" > pflog_logfile="/var/log/pflog" > > gateway_enable="YES" > > #disable stock FTP > ftp_enable="NO" > > #enable apache > apache24_enable="yes" > > #enable mysql > mysql_enable="yes" > > #enable postfix > postfix_enable="yes" > > #activate SSHGUARD > #sshguard_enable="yes" > > #enable WEBMIN > webmin_enable="YES" > > #allow Proftpd > #proftpd_enable="yes" > > #enable mailman > mailman_enable="yes" > > #enable OpenVPN > openvpn_enable="YES" > openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf" > # ----------------------- simple server pf.conf ---------------------- > # For FreeBSD 9.1 > # j65nko 2011, 2012, 2013 > # > # If you adapt this ruleset for a resolving caching name server please > # make sure you don't allow the whole world to use your name server > # Creating an open resolving name server can allow the bad guys to use your nameserver > # in an DNS amplification attack > > #macros for network interfaces > ext_if="xn0" > int_if="tun0" > > # define NAT gateway routing > localnet = $int_if:network > nat on $ext_if from $localnet to any -> ($ext_if) > > > icmp_types="echoreq" > > # Custom port for ssh > SSH_CUSTOM = 22 > > scrub in on $ext_if all fragment reassemble > > set skip on lo0 > #set skip on lo1 > > antispoof for $ext_if > > # --- EXTERNAL INTERFACE > # --- INCOMING ------------------------------------------------------------------- > pass in quick from $localnet to any keep state > > # --- TCP > pass in quick on $ext_if inet proto tcp from my-home-ip to any > pass in quick on $ext_if inet proto tcp from any to $ext_if port http > pass in quick on $ext_if inet proto tcp from any to $ext_if port https > pass in quick on $ext_if inet proto tcp from any to $ext_if port $SSH_CUSTOM > pass in quick on $ext_if inet proto tcp from any to $ext_if port 1194 Sorry, just noticed your openvpn.conf shows you want proto udp so replace tcp above with udp. > > # --- for authoritative DNS server > pass in quick on $ext_if inet proto udp from any to $ext_if port domain > > # --- UDP > # --- for authoritative DNS server > #pass in quick on $ext_if inet proto udp from any to $ext_if port domain > > # --- ICMP > pass in quick on $ext_if inet proto icmp from any to $ext_if icmp-type $icmp_types > > # --- EXTERNAL INTERFACE > # --- OUTGOING -------------------------------------------------------------------- > > anchor TMP > > # --- TCP > #pass out quick log on $ext_if inet proto tcp from $ext_if to any port smtp > #pass out quick on $ext_if inet proto tcp from $ext_if to any port domain > #pass out quick on $ext_if inet proto tcp from $ext_if to any port http > #pass out quick on $ext_if inet proto tcp from $ext_if to any port https > #pass out quick on $ext_if inet proto tcp from $ext_if to any port whois > #pass out quick on $ext_if inet proto tcp from $ext_if to any port $SSH_CUSTOM > > # --- UDP > #pass out quick on $ext_if inet proto udp from $ext_if to any port domain > #pass out quick on $ext_if inet proto udp from $ext_if to any port ntp > > # --- ICMP > pass out quick on $ext_if inet proto icmp from $ext_if to any > > # --- ALLOW ALL OUTBOUND TRAFFIC > pass out quick on $ext_if inet keep state > > # ------------------------------------------------------ > # --- DEFAULT POLICY > # ------------------------------------------------------ > block log all > > # ----- end of pf.conf > ################################################# > # Sample OpenVPN 2.0 config file for # > # multi-client server. # > # # > # This file is for the server side # > # of a many-clients <-> one-server # > # OpenVPN configuration. # > # # > # OpenVPN also supports # > # single-machine <-> single-machine # > # configurations (See the Examples page # > # on the web site for more info). # > # # > # This config should work on Windows # > # or Linux/BSD systems. Remember on # > # Windows to quote pathnames and use # > # double backslashes, e.g.: # > # "C:\\Program Files\\OpenVPN\\config\\foo.key" # > # # > # Comments are preceded with '#' or ';' # > ################################################# > > # Which local IP address should OpenVPN > # listen on? (optional) > ;local a.b.c.d > > # Which TCP/UDP port should OpenVPN listen on? > # If you want to run multiple OpenVPN instances > # on the same machine, use a different port > # number for each one. You will need to > # open up this port on your firewall. > port 1194 > > # TCP or UDP server? > ;proto tcp > proto udp > > # "dev tun" will create a routed IP tunnel, > # "dev tap" will create an ethernet tunnel. > # Use "dev tap0" if you are ethernet bridging > # and have precreated a tap0 virtual interface > # and bridged it with your ethernet interface. > # If you want to control access policies > # over the VPN, you must create firewall > # rules for the the TUN/TAP interface. > # On non-Windows systems, you can give > # an explicit unit number, such as tun0. > # On Windows, use "dev-node" for this. > # On most systems, the VPN will not function > # unless you partially or fully disable > # the firewall for the TUN/TAP interface. > ;dev tap > dev tun0 > dev-type tun > dev-node /dev/tun0 > > # Windows needs the TAP-Win32 adapter name > # from the Network Connections panel if you > # have more than one. On XP SP2 or higher, > # you may need to selectively disable the > # Windows firewall for the TAP adapter. > # Non-Windows systems usually don't need this. > ;dev-node MyTap > > # SSL/TLS root certificate (ca), certificate > # (cert), and private key (key). Each client > # and the server must have their own cert and > # key file. The server and all clients will > # use the same ca file. > # > # See the "easy-rsa" directory for a series > # of scripts for generating RSA certificates > # and private keys. Remember to use > # a unique Common Name for the server > # and each of the client certificates. > # > # Any X509 key management system can be used. > # OpenVPN can also use a PKCS #12 formatted key file > # (see "pkcs12" directive in man page). > ca ca.crt > cert my-server-hostname_openvpn-server.crt > key my-server-hostname_openvpn-server.key # This file should be kept secret > > # Diffie hellman parameters. > # Generate your own with: > # openssl dhparam -out dh2048.pem 2048 > dh dh2048.pem > > # Network topology > # Should be subnet (addressing via IP) > # unless Windows clients v2.0.9 and lower have to > # be supported (then net30, i.e. a /30 per client) > # Defaults to net30 (not recommended) > ;topology subnet > > # Configure server mode and supply a VPN subnet > # for OpenVPN to draw client addresses from. > # The server will take 10.8.0.1 for itself, > # the rest will be made available to clients. > # Each client will be able to reach the server > # on 10.8.0.1. Comment this line out if you are > # ethernet bridging. See the man page for more info. > server 10.8.0.0 255.255.255.0 > > # Maintain a record of client <-> virtual IP address > # associations in this file. If OpenVPN goes down or > # is restarted, reconnecting clients can be assigned > # the same virtual IP address from the pool that was > # previously assigned. > ifconfig-pool-persist ipp.txt > > # Configure server mode for ethernet bridging. > # You must first use your OS's bridging capability > # to bridge the TAP interface with the ethernet > # NIC interface. Then you must manually set the > # IP/netmask on the bridge interface, here we > # assume 10.8.0.4/255.255.255.0. Finally we > # must set aside an IP range in this subnet > # (start=10.8.0.50 end=10.8.0.100) to allocate > # to connecting clients. Leave this line commented > # out unless you are ethernet bridging. > ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 > > # Configure server mode for ethernet bridging > # using a DHCP-proxy, where clients talk > # to the OpenVPN server-side DHCP server > # to receive their IP address allocation > # and DNS server addresses. You must first use > # your OS's bridging capability to bridge the TAP > # interface with the ethernet NIC interface. > # Note: this mode only works on clients (such as > # Windows), where the client-side TAP adapter is > # bound to a DHCP client. > ;server-bridge > > # Push routes to the client to allow it > # to reach other private subnets behind > # the server. Remember that these > # private subnets will also need > # to know to route the OpenVPN client > # address pool (10.8.0.0/255.255.255.0) > # back to the OpenVPN server. > ;push "route 192.168.10.0 255.255.255.0" > ;push "route 192.168.20.0 255.255.255.0" > > # To assign specific IP addresses to specific > # clients or if a connecting client has a private > # subnet behind it that should also have VPN access, > # use the subdirectory "ccd" for client-specific > # configuration files (see man page for more info). > > # EXAMPLE: Suppose the client > # having the certificate common name "Thelonious" > # also has a small subnet behind his connecting > # machine, such as 192.168.40.128/255.255.255.248. > # First, uncomment out these lines: > ;client-config-dir ccd > ;route 192.168.40.128 255.255.255.248 > # Then create a file ccd/Thelonious with this line: > # iroute 192.168.40.128 255.255.255.248 > # This will allow Thelonious' private subnet to > # access the VPN. This example will only work > # if you are routing, not bridging, i.e. you are > # using "dev tun" and "server" directives. > > # EXAMPLE: Suppose you want to give > # Thelonious a fixed VPN IP address of 10.9.0.1. > # First uncomment out these lines: > ;client-config-dir ccd > ;route 10.9.0.0 255.255.255.252 > # Then add this line to ccd/Thelonious: > # ifconfig-push 10.9.0.1 10.9.0.2 > > # Suppose that you want to enable different > # firewall access policies for different groups > # of clients. There are two methods: > # (1) Run multiple OpenVPN daemons, one for each > # group, and firewall the TUN/TAP interface > # for each group/daemon appropriately. > # (2) (Advanced) Create a script to dynamically > # modify the firewall in response to access > # from different clients. See man > # page for more info on learn-address script. > ;learn-address ./script > > # If enabled, this directive will configure > # all clients to redirect their default > # network gateway through the VPN, causing > # all IP traffic such as web browsing and > # and DNS lookups to go through the VPN > # (The OpenVPN server machine may need to NAT > # or bridge the TUN/TAP interface to the internet > # in order for this to work properly). > push "redirect-gateway def1 bypass-dhcp" > > # Certain Windows-specific network settings > # can be pushed to clients, such as DNS > # or WINS server addresses. CAVEAT: > # http://openvpn.net/faq.html#dhcpcaveats > # The addresses below refer to the public > # DNS servers provided by opendns.com. > push "dhcp-option DNS my-dns-server-ip" > push "dhcp-option DNS 208.67.222.222" > ;push "dhcp-option DNS 208.67.222.222" > ;push "dhcp-option DNS 208.67.220.220" > > # Uncomment this directive to allow different > # clients to be able to "see" each other. > # By default, clients will only see the server. > # To force clients to only see the server, you > # will also need to appropriately firewall the > # server's TUN/TAP interface. > ;client-to-client > > # Uncomment this directive if multiple clients > # might connect with the same certificate/key > # files or common names. This is recommended > # only for testing purposes. For production use, > # each client should have its own certificate/key > # pair. > # > # IF YOU HAVE NOT GENERATED INDIVIDUAL > # CERTIFICATE/KEY PAIRS FOR EACH CLIENT, > # EACH HAVING ITS OWN UNIQUE "COMMON NAME", > # UNCOMMENT THIS LINE OUT. > ;duplicate-cn > > # The keepalive directive causes ping-like > # messages to be sent back and forth over > # the link so that each side knows when > # the other side has gone down. > # Ping every 10 seconds, assume that remote > # peer is down if no ping received during > # a 120 second time period. > keepalive 10 120 > > # For extra security beyond that provided > # by SSL/TLS, create an "HMAC firewall" > # to help block DoS attacks and UDP port flooding. > # > # Generate with: > # openvpn --genkey --secret ta.key > # > # The server and each client must have > # a copy of this key. > # The second parameter should be '0' > # on the server and '1' on the clients. > ;tls-auth ta.key 0 # This file is secret > > # Select a cryptographic cipher. > # This config item must be copied to > # the client config file as well. > ;cipher BF-CBC # Blowfish (default) > ;cipher AES-128-CBC # AES > ;cipher DES-EDE3-CBC # Triple-DES > > # Enable compression on the VPN link. > # If you enable it here, you must also > # enable it in the client config file. > ;comp-lzo > > # The maximum number of concurrently connected > # clients we want to allow. > ;max-clients 100 > > # It's a good idea to reduce the OpenVPN > # daemon's privileges after initialization. > # > # You can uncomment this out on > # non-Windows systems. > ;user nobody > ;group nobody > > # The persist options will try to avoid > # accessing certain resources on restart > # that may no longer be accessible because > # of the privilege downgrade. > persist-key > persist-tun > > # Output a short status file showing > # current connections, truncated > # and rewritten every minute. > status openvpn-status.log > > # By default, log messages will go to the syslog (or > # on Windows, if running as a service, they will go to > # the "\Program Files\OpenVPN\log" directory). > # Use log or log-append to override this default. > # "log" will truncate the log file on OpenVPN startup, > # while "log-append" will append to it. Use one > # or the other (but not both). > ;log openvpn.log > ;log-append openvpn.log > > # Set the appropriate level of log > # file verbosity. > # > # 0 is silent, except for fatal errors > # 4 is reasonable for general usage > # 5 and 6 can help to debug connection problems > # 9 is extremely verbose > verb 3 > > # Silence repeating messages. At most 20 > # sequential messages of the same message > # category will be output to the log. > ;mute 20 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"