Well, I’m back doing some work over at iX Systems, and really did not want to run Tunnelblick on my mac. The VPN for ix does do split tunnel/routing, however it pumps all the DNS over the tunnel … which makes accessing my local RFC 1918 NATed network hard to use.
I have Comcast Business Internet, and from all my research, Comcast Business Internet with Static IPv4, the modem cannot be made a raw/dumb bridge. A bridge mode modem, would release the statics. So I have modem, going into a pretty standard FreeBSD router/firewall setup, using NAT and ipfw. Yes, I like ipfw syntax better than pf. Whatever.
SideNote: So, the other day, I finally got IPv6 working via the FreeBSD router. Issue – Dummynet drops v6. SOOOO … any shaping rules MUST NOT BE “ip”, they have to be “ip4”. Sigh. That took over a year to figure out.
And now, two years later … I figured out how to do OpenVPN client … on my router, with dual NAT. Though, can’t explain exact setup.
I’m not going to explain the whole config … just the OpenVPN side.
So, first, I symlinked the openvpn to
[ pts/0 router:/usr/local/etc/rc.d ]
[ dpd ]> ls -l /usr/local/etc/rc.d/openvpn*
-r-xr-xr-x 1 root wheel 4418 Apr 19 11:23 /usr/local/etc/rc.d/openvpn*
lrwxr-xr-x 1 root wheel 7 May 19 2015 /usr/local/etc/rc.d/openvpn_ixsystems@ -> openvpn
This allows for a specific rcvar for this vpn config, and a separate config file.
[ pts/0 router:/usr/local/etc/rc.d ]
[ dpd ]> /usr/local/etc/rc.d/openvpn_ixsystems rcvar
/usr/local/etc/rc.d/openvpn_ixsystems: DEBUG: Sourcing /etc/rc.conf.d/openvpn_ixsystems
# (default: "")
[ pts/0 router:/usr/local/etc/openvpn ]
[ dpd ]> ls -l /usr/local/etc/openvpn/openvpn*
-rw------- 1 root wheel 232 Oct 21 2015 /usr/local/etc/openvpn/openvpn-status.log
-rw-r--r-- 1 root wheel 468 Nov 26 2014 /usr/local/etc/openvpn/openvpn.conf
-rw------- 1 root wheel 438 May 22 20:58 /usr/local/etc/openvpn/openvpn_ixsystems.conf
This config file is provided by your VPN server admin, and not going into details here. Use the rc.d script to connect. For nat, I have a natd.conf, because I’m doing 1-to-1 NAT-ing of my statics to my statically assigned DHCP rfc1918 addresses. This made some internal stuff nicer and ipfw filter better. I’m using sshguard to populate a lookup table, on the router, and feeding all syslogd’s to Router. So, 1 failed consecutive ssh login scan of my network results in the IP being blocked.
redirect_address 192.168.1.4 220.127.116.11
redirect_address 192.168.1.6 18.104.22.168
redirect_address 192.168.1.3 22.214.171.124
redirect_address 192.168.1.2 126.96.36.199
Next, was two magic, simple things. A second NAT for the tun0 device, and an IPFW divert for that NAT.
/sbin/natd -config /etc/natd-tun0.conf -n tun0 -p 8670
ipfw add 60 divert 8670 ip4 from any to any via tun0
That did it !!
Now, I’d like to get unbound to forward DNS for just a single domain over the VPN. The “forward” in unbound didn’t seem to work. I’m using a full recursive unbound for a caching DNS server. I bypass Comcast DNS servers.
And for reference, here’s my ipfw stack. It could use some hardening.
00050 divert 8668 ip4 from any to any via em1
00050 nat 123 ip4 from any to any via em1
00060 divert 8670 ip4 from any to any via tun0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00522 deny ip from table(22) to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
01100 deny log ip4 from any to any dst-port 111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779 in via em1
01110 deny log ip4 from any to any dst-port 111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779 out via em1
01700 queue 21 ip4 from any to any dst-port 53,5353 out via em1
01800 queue 22 ip4 from any to any dst-port 53,5353 in via em1
01900 queue 31 ip4 from any to any dst-port 80,443 out via em1
02000 queue 32 ip4 from any to any dst-port 80,443 in via em1
02100 queue 51 ip4 from any to any dst-port 119,563 out via em1
02200 queue 52 ip4 from any 119,563 to any in via em1
02300 queue 41 ip4 from any to any out via em1
02400 queue 42 ip4 from any to any in via em1
65000 allow ip from any to any
65535 deny ip from any to any