Introduction
Introduction Statistics Contact Development Disclaimer Help
Title: OpenVPN as the default gateway on OpenBSD
Author: Solène
Date: 27 October 2020
Tags: openbsd openvpn
Description:
If you plan to use an OpenVPN tunnel to reach your default gateway,
which would make the tun interface in the `egress` group, and use
`tun0` in your `pf.conf` which is loaded before OpenVPN starts?
Here are the few tips I use to solve the problems.
## Remove your current default gateway
We don't want a default gateway on the system. You need to know
the remote address of the VPN server.
If you have a `/etc/mygate` file, remove it.
The `/etc/hostname.if` file (with if being your interface name,
like em0 for example), should look like this:
192.168.1.200
up
!route add -host A.B.C.D 192.168.1.254
+ First line is the IP on my lan
+ Second line is to make the interface up.
+ Third line is means you want to reach `A.B.C.D` via `192.168.1.254`,
with the IP `A.B.C.D` being the remote VPN server.
## Create the tun0 interface at boot
Create a `/etc/hostname.tun0` file with only `up` as content,
that will create `tun0` at boot and make it available to `pf.conf`
and you prevent it from loading the configuration.
You may think one could use "egress" instead of the interface name,
but this is not allowed in queuing.
## Don't let OpenVPN manage the route
Don't use `redirect-gateway def1 bypass-dhcp` from the OpenVPN
configuration, this will create a route which is not `default` and
so the tun0 interface won't be in the egress group, which is not
something we want.
Add those two lines in your configuration file, to execute
a script once the tunnel is established, in which we will make
the default route.
script-security 2
up /etc/openvpn/script_up.sh
In `/etc/openvpn/script_up.sh` you simply have to write
#!/bin/sh
/sbin/route add -net default X.Y.Z.A
If you have IPv6 connectivity, you have to add this line:
/sbin/route add -inet6 2000::/3 fe80::%tun0
(not sure it's 100% correct for IPv6 but it works fine for me! If
it's wrong, please tell me how to make it better).
You are viewing proxied material from dataswamp.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.