Dear All, I am still working on OpenVPN gateway for my Lab. As of now I have everything fully functional and I am trying now to tide up PF rules.
My network topology roughly looks like this Internet (128.xxx) OpenVPN clients (VPN network 10.8.0.xxx) | Also Public 128.xxx addresses | | | | ------------------------------ | ext_if/tun0 (128.0.0.1/10.8.0.1) | Firewall/VPN Gateway (OpenBSD 5.4) | | int_if (192.168.2.1) | ----- Switch --- DNS/LDAP/FileServer (192.168.2.32/8) | | | | | ------------- other desktops (192.168.2.64/8) | | SSH Gateway (192.168.2.200) HPC machines on (192.168.2.128/8) Following PF FAQ, Peter's book of PF and Absolute OpenBSD 2nd edition I had no troubles writing rules which filter trafic on ext_if as well as int_if. Clients behind Firewall can access selected internet services (ssh, SMTP,www). A random machine which tries to reach my internal network via SSH gets redirected to SSH gateway machine. Since I have no experience managing OpenVPNs I have questions about VPN network (10.8.0.xxx) 1. Right now I pass UDP packets on ext_if port 1194 to allow VPN clients to connect to server. Is that correct? Is there more restricitve way of doing this. 2. I would like to filter traffic coming and going from 10.8.0.xxx. Do I write separate rules for tun0 interface? 3. Do I use rdr to allow OpenVPN clients from VPN network 10.8.0.xxx to reach my internal network (192.168.2.xxx)? I would like VPN clients to have the same access to my HPC clusters, DNS etc as my desktops behind PF. Thank you so much for you help. Predrag