On Sun, Aug 23, 2015 at 03:06:40PM +0800, Zhi-Qiang Lei wrote:
> My road warrior has a PPPoE external connection and a tunnel connection,
> established with OpenVPN, which would encrypt the packets from some special
> devices.
>
> It works so well so far with the help with these rules in /etc/pf.conf:
>
> pass in quick on $int_if from $arch to ! route-to $tun_if
> pass in quick on $int_if from $raspbmc to route-to
> $tun_if
> pass out quick on $tun_if from any to any nat-to ($tun_if)
>
> However, every time when I reboot the machine, pf fails to load the rules
> because the tunnel is not ready. The tunnel generally would take some minutes
> to establish. Is it possible to defer the loading of pf rules until all
> interfaces are ready? I also tried to parenthesize $tun_if, but it failed due
> to syntax errors.
>
> pass in quick on $int_if from $arch to ! route-to
> ($tun_if)
> pass in quick on $int_if from $raspbmc to route-to
> ($tun_if)
> pass out quick on $tun_if from any to any nat-to ($tun_if)
>
> Best regards and thanks,
> Zhi-Qiang Lei
If your local tun_if IP is static, you can set it in /etc/hostname.tun0
and then use persist-local-ip in openvpn's config file. That will allow
your pf rules to load on boot. OpenVPN will use the existing local IP.
If your local tun_if IP is dynamic, you could put an anchor in your
pf rule set:
anchor "openvpn/*"
and then add rules to this anchor when openvpn comes up (e.g. from openvpn's
up script):
printf 'pass in quick on $int_if from $arch to ! route-to
$tun_if\npass in quick on $int_if from $raspbmc to
route-to\n$tun_if\npass out quick on $tun_if from any to any nat-to
($tun_if)\n' | pfctl -a openvpn/up -f -
Note the use of single quotes to prevent the shell from expanding $int_if etc.
