Category Archives: Uncategorized

A FreeBSD Router as an OpenVPN Client

Well, I’m back doing some work over at iX Systems, and really did not want to run Tunnelblick on my mac. The VPN for ix does do split tunnel/routing, however it pumps all the DNS over the tunnel … which makes accessing my local RFC 1918 NATed network hard to use.

I have Comcast Business Internet, and from all my research, Comcast Business Internet with Static IPv4, the modem cannot be made a raw/dumb bridge. A bridge mode modem, would release the statics. So I have modem, going into a pretty standard FreeBSD router/firewall setup, using NAT and ipfw. Yes, I like ipfw syntax better than pf. Whatever.

SideNote: So, the other day, I finally got IPv6 working via the FreeBSD router. Issue – Dummynet drops v6. SOOOO … any shaping rules MUST NOT BE “ip”, they have to be “ip4”. Sigh. That took over a year to figure out.

And now, two years later … I figured out how to do OpenVPN client … on my router, with dual NAT. Though, can’t explain exact setup.

I’m not going to explain the whole config … just the OpenVPN side.

So, first, I symlinked the openvpn to

[ pts/0 router:/usr/local/etc/rc.d ]
[ dpd ]> ls -l /usr/local/etc/rc.d/openvpn*
-r-xr-xr-x 1 root wheel 4418 Apr 19 11:23 /usr/local/etc/rc.d/openvpn*
lrwxr-xr-x 1 root wheel 7 May 19 2015 /usr/local/etc/rc.d/openvpn_ixsystems@ -> openvpn

This allows for a specific rcvar for this vpn config, and a separate config file.


[ pts/0 router:/usr/local/etc/rc.d ]
[ dpd ]> /usr/local/etc/rc.d/openvpn_ixsystems rcvar
/usr/local/etc/rc.d/openvpn_ixsystems: DEBUG: Sourcing /etc/rc.conf.d/openvpn_ixsystems
# openvpn_ixsystems
#
openvpn_ixsystems_enable="NO"
# (default: "")

[ pts/0 router:/usr/local/etc/openvpn ]
[ dpd ]> ls -l /usr/local/etc/openvpn/openvpn*
-rw------- 1 root wheel 232 Oct 21 2015 /usr/local/etc/openvpn/openvpn-status.log
-rw-r--r-- 1 root wheel 468 Nov 26 2014 /usr/local/etc/openvpn/openvpn.conf
-rw------- 1 root wheel 438 May 22 20:58 /usr/local/etc/openvpn/openvpn_ixsystems.conf

This config file is provided by your VPN server admin, and not going into details here. Use the rc.d script to connect. For nat, I have a natd.conf, because I’m doing 1-to-1 NAT-ing of my statics to my statically assigned DHCP rfc1918 addresses. This made some internal stuff nicer and ipfw filter better. I’m using sshguard to populate a lookup table, on the router, and feeding all syslogd’s to Router. So, 1 failed consecutive ssh login scan of my network results in the IP being blocked.


redirect_address 192.168.1.4 173.13.188.41
redirect_address 192.168.1.6 173.13.188.42
redirect_address 192.168.1.3 173.13.188.43
redirect_address 192.168.1.2 173.13.188.44

Next, was two magic, simple things. A second NAT for the tun0 device, and an IPFW divert for that NAT.


touch /etc/natd-tun0.conf
/sbin/natd -config /etc/natd-tun0.conf -n tun0 -p 8670
ipfw add 60 divert 8670 ip4 from any to any via tun0

That did it !!

Now, I’d like to get unbound to forward DNS for just a single domain over the VPN. The “forward” in unbound didn’t seem to work. I’m using a full recursive unbound for a caching DNS server. I bypass Comcast DNS servers.

And for reference, here’s my ipfw stack. It could use some hardening.


00050 divert 8668 ip4 from any to any via em1
00050 nat 123 ip4 from any to any via em1
00060 divert 8670 ip4 from any to any via tun0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00522 deny ip from table(22) to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
01100 deny log ip4 from any to any dst-port 111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779 in via em1
01110 deny log ip4 from any to any dst-port 111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779 out via em1
01700 queue 21 ip4 from any to any dst-port 53,5353 out via em1
01800 queue 22 ip4 from any to any dst-port 53,5353 in via em1
01900 queue 31 ip4 from any to any dst-port 80,443 out via em1
02000 queue 32 ip4 from any to any dst-port 80,443 in via em1
02100 queue 51 ip4 from any to any dst-port 119,563 out via em1
02200 queue 52 ip4 from any 119,563 to any in via em1
02300 queue 41 ip4 from any to any out via em1
02400 queue 42 ip4 from any to any in via em1
65000 allow ip from any to any
65535 deny ip from any to any

The War on Mother’s, Father’s, Christmas et al Days

In response to the following article, I was going to leave this as a comment to someone else posts, but decided to make this a personal post/rant in a more general area – are us lefties too politically correct ?

An open letter to pastors (A non-mom speaks about Mother’s Day)

Even though I am a man of 40 years old and child-less(*) man, luckily, I don’t believe in or practice any of these mythologies, so a hypocritical old child-less white man’s sanction or support from a conceived supreme being – is pretty meaningless for me.

(*I’ve always want children/family, role of mother of my children has been open and unfilled for a long time.)

Bill Maher sums it up – “democrats have gone from the party that protects people, to the party that protects feelings”.

However, there are always two sides to every coin. There is the one desire to celebrate/recognize certain accomplishments or sacrifices that others have not or could not do. Does that mean we should be insensitive to those that could not or didn’t ? And at the same time, while we are attempting to celebrate the ones that did, we don’t want to comprise their accomplishments or ruin their day, we can do that the other 364.

I’m not talking just about Mother’s day, Father’s Day … how about Valentine’s day ? Christmas ? Thanksgiving ? Veterans Day ?

I’m pretty sure that is why the religious right has this idea of a ‘war on Christmas’. Because some what to be more inclusive to minorities, others start to feel pushed out. And in the War on Christmas, maybe finally so for the white christians, here’s a taste of your own exclusion.

Mother’s and Father’s day don’t bother me that much. My immediately family never put a lot weight on celebrating these days in the first place. Plus, I still have my parents in my life. I know a Facebook friend, suddenly lost her mother and is having a difficult time with mother’s day approaching. I have no clue how I’d feel in that case.

I can (and hopefully one day) will father some children. However, I not likely gonna to pick up a gun and serve in our military. And, because one couldn’t get into college or didn’t have the money to do so, they choose to enlist – why should I celebrate their decision ? (Now, if drafted, that is different.) No body throws me a party because I choose to go to WashU over University of Missouri – Rolla.

I know motherhood has a biological clock that complicates things, but should we feel sad, and take away and get distracted by those that didn’t or couldn’t – wanting attention on a day we set aside to honor someone else ?

I appreciate learning about the feelings of others, especially when often overlooked. However, if it is someone else’s birthday, do you interrupt their celebration commenting that it’s not your birthday and you are feeling left out ?