openbsd npppd pppx0 VPN Client can access wan but cannot access lan
Question
I'm, running OpenBSD 5.8, npppd, mpath and have tried the same on 5.7 and 5.3. npppd is works fine and clients can connect using windows pptp client. Client have the pptp connection set as default gateway and can access the internet trough the vpn gateway but cannot access the LAN network traffic arrives on the pppx0 interface but never get forwarded to the LAN ip address. I have been looking and trying for over 2 weeks now and can't figure that one out. setting everything to pass in pf.conf and only enabling nat - still no result.
Setup: OpenBSD 5.8 with npppd using pppx0 or tun0 and pf 2 WAN interfaces equal cost routing (net.inet.ip.multipath=1), 1 LAN interface
sysctl.conf
net.inet.ip.forwarding=1
net.inet.ip.multipath=1
net.inet.gre.allow=1
net.pipex.enable=1
npptp.conf:
set max-session 20
set user-max-session 5
authentication LOCAL type local {
users-file "/etc/npppd/npppd-users"
}
tunnel VPN protocol pptp {
listen on 0.0.0.0
}
ipcp IPCP {
pool-address 10.219.219.2-10.219.219.100
dns-servers 192.168.0.189 192.168.0.19
nbns-servers 192.168.0.189 192.168.0.19
}
interface pppx0 address 10.219.219.1 ipcp IPCP
bind tunnel from VPN authenticated by LOCAL to pppx0
pf.conf
### NAT
match out log on $ext1_if from $int_net nat-to ($ext1_if)
match out log on $ext2_if from $int_net nat-to ($ext2_if)
## vpn
pass quick log on pppx
match out log on $ext1_if from $vpn_net nat-to ($ext1_if)
match out log on $ext2_if from $vpn_net nat-to ($ext2_if)
match out log on $int_if from $vpn_net nat-to ($int_if)
### FILTER RULES
block log quick inet6
block in log on $ext1_if
block in log on $ext2_if
## allow ping, traceroute and echo
pass in log inet proto icmp all icmp-type $icmp_types
## pass connections to vpn server
pass log proto { gre } from any to any keep state
pass in log on $ext1_if proto tcp from any to $ext1_if port 1723
pass in log on $ext2_if proto tcp from any to $ext2_if port 1723
pass in on enc0 from $vpn_net to $int_net keep state (if-bound)
pass out on enc0 from $int_net to $vpn_net keep state (if-bound)
pass in on pppx from $vpn_net to $int_net keep state (if-bound)
pass out on pppx from $int_net to $vpn_net keep state (if-bound)
netstat -rn Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default a.a.a.113 UGSP 0 1073494 - 8 em0
default b.b.b.97 UGSP 4 10294 - 8 em1
10.219.219.1 10.219.219.1 UHl 0 0 - 1 lo0
10.219.219.14 10.219.219.1 UH 0 679 - 8 pppx0
127/8 127.0.0.1 UGRS 0 0 32768 8 lo0
127.0.0.1 127.0.0.1 UHl 1 4 32768 1 lo0
b.b.b.96/28 b.b.b.110 UC 1 0 - 8 em1
b.b.b.97 bc:16:65:34:33:81 UHLc 1 0 - 8 em1
b.b.b.110 00:15:17:48:7b:23 HLl 0 0 - 1 lo0
b.b.b.111 b.b.b.110 UHb 0 0 - 1 em1
192.168.0/22 192.168.0.238 UC 9 0 - 8 em3
192.168.0.4 00:25:90:7c:40:cf UHLc 0 4 - 8 em3
192.168.0.5 00:30:48:7d:7c:64 UHLc 0 1 - 8 em3
192.168.0.6 00:25:90:3c:30:67 UHLc 0 2 - 8 em3
192.168.0.10 f4:6d:04:29:ea:f7 UHLc 0 4 - 8 em3
192.168.0.19 00:25:90:72:89:1a UHLc 0 8388 - 8 em3
192.168.0.189 00:30:48:d8:f0:0b UHLc 0 9661 - 8 em3
192.168.0.238 00:25:90:d0:17:10 HLl 0 0 - 1 lo0
192.168.0.253 00:25:90:af:5d:0a UHLc 0 154 - 8 em3
192.168.2.167 50:e5:49:e6:c3:3c UHLc 0 2048 - 8 em3
192.168.3.202 00:25:90:af:5d:0a UHLc 1 9329 - L 8 em3
192.168.3.255 192.168.0.238 UHb 0 0 - 1 em3
a.a.a.112/28 a.a.a.126 UC 2 0 - 8 em0
a.a.a.113 00:00:5e:00:01:0c UHLc 1 0 - 8 em0
a.a.a.116 00:25:90:af:5d:0b UHLc 2 34417 - L 8 em0
a.a.a.126 00:15:17:48:7b:22 HLl 0 0 - 1 lo0
a.a.a.127 a.a.a.126 UHb 0 0 - 1 em0
224/4 127.0.0.1 URS 0 0 32768 8 lo0
1 answers
solution1
0 2015-12-20 22:02:41
I'm used to pf on FreeBSD, it looks like that pf or kernel on OpenBSD sets a "block all" on any interface which have no roles defined in the pf.conf with using skip or pass rules, which is a good thing because this closes unintended security holes.
The machine is gateway to the internet and serves as VPN server and is load balancing 2 leased lines. Another gotcha I found is the rule well mentioned on every tutorial on the net for NPPPD.
pass log proto { gre } from any to any keep state
I changed Change this to the below to make sure that any nat'ed outgoing connections are not interfered with.
pass log inet proto gre from any to $ext1_if modulate state
This rule is not needed and does nothing but prevent clients on the local network accessing vpn server on the internet trough the OpenBSD firewall. GRE is negotiated between client and the vpn server software on the server and will be passes anyway. Only port 1723 needs to opened for incoming connections and that only on the external interface ($ext_if)
Below is the relevant pf.conf for openbsd/NPPTP
### NAT
## int net
match out log on $ext1_if from $int_net nat-to ($ext1_if) static-port
match out log on $ext2_if from $int_net nat-to ($ext2_if) static-port
## vpn
match out log on $ext1_if from $vpn_net nat-to ($ext1_if) static-port
match out log on $ext2_if from $vpn_net nat-to ($ext2_if) static-port
match out log on $int_if from $vpn_net nat-to ($int_if) static-port
### FILTER RULES
block drop quick inet6
block log all
pass out log
## allow ping, traceroute and echo
pass in log inet proto icmp all icmp-type $icmp_types
## internal network
pass in log on $int_if
## pass connections to vpn server
pass in log on pppx
pass log inet proto gre from any to $ext1_if modulate state
pass log inet proto gre from any to $ext2_if modulate state
pass out log inet proto gre from any to any modulate state
pass in log on $ext1_if proto tcp from any to $ext1_if port 1723
pass in log on $ext2_if proto tcp from any to $ext2_if port 1723
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.