Dear All,
I am still working on OpenVPN gateway for my Lab. As of now I have
everything fully functional and I am trying now to tide up PF rules.
My network topology roughly looks like this
Internet (128.xxx) OpenVPN clients (VPN network 10.8.0.xxx)
| Also Public 128.xxx addresses
| |
| |
------------------------------
|
ext_if/tun0 (128.0.0.1/10.8.0.1)
|
Firewall/VPN Gateway (OpenBSD 5.4)
|
|
int_if (192.168.2.1)
|
----- Switch --- DNS/LDAP/FileServer (192.168.2.32/8)
| |
| |
| ------------- other desktops (192.168.2.64/8)
| |
SSH Gateway (192.168.2.200) HPC machines on (192.168.2.128/8)
Following PF FAQ, Peter's book of PF and Absolute OpenBSD 2nd edition I
had no troubles writing rules which filter trafic on ext_if as well as
int_if. Clients behind Firewall can access selected internet services
(ssh, SMTP,www). A random machine which tries to reach my internal
network via SSH gets redirected to SSH gateway machine.
Since I have no experience managing OpenVPNs I have questions about
VPN network (10.8.0.xxx)
1. Right now I pass UDP packets on ext_if port 1194 to allow VPN clients
to connect to server. Is that correct? Is there more restricitve way
of doing this.
2. I would like to filter traffic coming and going from 10.8.0.xxx.
Do I write separate rules for tun0 interface?
3. Do I use rdr to allow OpenVPN clients from VPN network 10.8.0.xxx
to reach my internal network (192.168.2.xxx)? I would like VPN clients
to have the same access to my HPC clusters, DNS etc as my desktops
behind PF.
Thank you so much for you help.
Predrag
