On Wed, Jun 04, 2008 at 02:08:02PM +1000, Rod Whitworth wrote: > On Tue, 3 Jun 2008 22:49:10 -0500, Matt Garman wrote: > >I've been using the "vpnc" program on Linux to connect to my > >employer's network. The program also exists for OpenBSD, and > >works great for my needs. > > > >I use my OpenBSD (3.9) install as a typical internet gateway, > >firewall, NAT box. My pf script is virtually identical to the > >example on the webpage. > > > >What I'd like to do is have my OBSD box to NAT on the tun device > >(VPN tunnel). I.e., so I can use the VPN connection seamlessly > >from any system on my home network. > > First thing you need to do is to get up to date with at least 4.3 > installed. Nothing but 4.2 and 4.3 is supported.
I've had the 4.2 CDs sitting on my desk for months now, just haven't gotten around to installing! I'm hoping that my configuration and question are simple enough that the version discrepancy won't matter. > Then you need to realise that nobody here has ESP , so it's a bit > hard to tell you what to change when your pf.conf is only hinted > at. There are lots of pf.conf examples on webpages. Sorry, I meant to post it... it was late, and I was sleepy. It's virtually identical to the example pf.conf on the OBSD web page (http://openbsd.org/faq/pf/example1.html). You can see what I added---lines with the vpn_if and vpn_addr macros, in an attempt to get the functionality I want. Thanks again, Matt # macros ext_if="vr0" int_if="vr1" vpn_if="tun0" vpn_addr="192.168.187.0/24" tcp_services="{ 22, 113 }" icmp_types="echoreq" # options set block-policy return set loginterface $ext_if set skip on lo # scrub scrub in # nat/rdr nat on $vpn_if from $int_if to $vpn_addr -> ($vpn_if) nat on $ext_if from !($ext_if) -> ($ext_if:0) nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" # filter rules block in pass out keep state anchor "ftp-proxy/*" antispoof quick for { lo $int_if } pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state pass in on $vpn_if inet proto tcp from any to ($vpn_if) \ port $tcp_services flags S/SA keep state pass in inet proto icmp all icmp-type $icmp_types keep state pass quick on $int_if
