On Sun, Aug 23, 2015 at 03:06:40PM +0800, Zhi-Qiang Lei wrote: > My road warrior has a PPPoE external connection and a tunnel connection, > established with OpenVPN, which would encrypt the packets from some special > devices. > > It works so well so far with the help with these rules in /etc/pf.conf: > > pass in quick on $int_if from $arch to !<internal_addresses> route-to $tun_if > pass in quick on $int_if from $raspbmc to <external_addresses> route-to > $tun_if > pass out quick on $tun_if from any to any nat-to ($tun_if) > > However, every time when I reboot the machine, pf fails to load the rules > because the tunnel is not ready. The tunnel generally would take some minutes > to establish. Is it possible to defer the loading of pf rules until all > interfaces are ready? I also tried to parenthesize $tun_if, but it failed due > to syntax errors. > > pass in quick on $int_if from $arch to !<internal_addresses> route-to > ($tun_if) > pass in quick on $int_if from $raspbmc to <external_addresses> route-to > ($tun_if) > pass out quick on $tun_if from any to any nat-to ($tun_if) > > Best regards and thanks, > Zhi-Qiang Lei
If your local tun_if IP is static, you can set it in /etc/hostname.tun0 and then use persist-local-ip in openvpn's config file. That will allow your pf rules to load on boot. OpenVPN will use the existing local IP. If your local tun_if IP is dynamic, you could put an anchor in your pf rule set: anchor "openvpn/*" and then add rules to this anchor when openvpn comes up (e.g. from openvpn's up script): printf 'pass in quick on $int_if from $arch to !<internal_addresses> route-to $tun_if\npass in quick on $int_if from $raspbmc to <external_addresses> route-to\n$tun_if\npass out quick on $tun_if from any to any nat-to ($tun_if)\n' | pfctl -a openvpn/up -f - Note the use of single quotes to prevent the shell from expanding $int_if etc.
