A FreeBSD Router as an OpenVPN Client

Well, I’m back doing some work over at iX Systems, and really did not want to run Tunnelblick on my mac. The VPN for ix does do split tunnel/routing, however it pumps all the DNS over the tunnel … which makes accessing my local RFC 1918 NATed network hard to use.

I have Comcast Business Internet, and from all my research, Comcast Business Internet with Static IPv4, the modem cannot be made a raw/dumb bridge. A bridge mode modem, would release the statics. So I have modem, going into a pretty standard FreeBSD router/firewall setup, using NAT and ipfw. Yes, I like ipfw syntax better than pf. Whatever.

SideNote: So, the other day, I finally got IPv6 working via the FreeBSD router. Issue – Dummynet drops v6. SOOOO … any shaping rules MUST NOT BE “ip”, they have to be “ip4”. Sigh. That took over a year to figure out.

And now, two years later … I figured out how to do OpenVPN client … on my router, with dual NAT. Though, can’t explain exact setup.

I’m not going to explain the whole config … just the OpenVPN side.

So, first, I symlinked the openvpn to

[ pts/0 router:/usr/local/etc/rc.d ]
[ dpd ]> ls -l /usr/local/etc/rc.d/openvpn*
-r-xr-xr-x 1 root wheel 4418 Apr 19 11:23 /usr/local/etc/rc.d/openvpn*
lrwxr-xr-x 1 root wheel 7 May 19 2015 /usr/local/etc/rc.d/openvpn_ixsystems@ -> openvpn

This allows for a specific rcvar for this vpn config, and a separate config file.


[ pts/0 router:/usr/local/etc/rc.d ]
[ dpd ]> /usr/local/etc/rc.d/openvpn_ixsystems rcvar
/usr/local/etc/rc.d/openvpn_ixsystems: DEBUG: Sourcing /etc/rc.conf.d/openvpn_ixsystems
# openvpn_ixsystems
#
openvpn_ixsystems_enable="NO"
# (default: "")

[ pts/0 router:/usr/local/etc/openvpn ]
[ dpd ]> ls -l /usr/local/etc/openvpn/openvpn*
-rw------- 1 root wheel 232 Oct 21 2015 /usr/local/etc/openvpn/openvpn-status.log
-rw-r--r-- 1 root wheel 468 Nov 26 2014 /usr/local/etc/openvpn/openvpn.conf
-rw------- 1 root wheel 438 May 22 20:58 /usr/local/etc/openvpn/openvpn_ixsystems.conf

This config file is provided by your VPN server admin, and not going into details here. Use the rc.d script to connect. For nat, I have a natd.conf, because I’m doing 1-to-1 NAT-ing of my statics to my statically assigned DHCP rfc1918 addresses. This made some internal stuff nicer and ipfw filter better. I’m using sshguard to populate a lookup table, on the router, and feeding all syslogd’s to Router. So, 1 failed consecutive ssh login scan of my network results in the IP being blocked.


redirect_address 192.168.1.4 173.13.188.41
redirect_address 192.168.1.6 173.13.188.42
redirect_address 192.168.1.3 173.13.188.43
redirect_address 192.168.1.2 173.13.188.44

Next, was two magic, simple things. A second NAT for the tun0 device, and an IPFW divert for that NAT.


touch /etc/natd-tun0.conf
/sbin/natd -config /etc/natd-tun0.conf -n tun0 -p 8670
ipfw add 60 divert 8670 ip4 from any to any via tun0

That did it !!

Now, I’d like to get unbound to forward DNS for just a single domain over the VPN. The “forward” in unbound didn’t seem to work. I’m using a full recursive unbound for a caching DNS server. I bypass Comcast DNS servers.

And for reference, here’s my ipfw stack. It could use some hardening.


00050 divert 8668 ip4 from any to any via em1
00050 nat 123 ip4 from any to any via em1
00060 divert 8670 ip4 from any to any via tun0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00522 deny ip from table(22) to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
01100 deny log ip4 from any to any dst-port 111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779 in via em1
01110 deny log ip4 from any to any dst-port 111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779 out via em1
01700 queue 21 ip4 from any to any dst-port 53,5353 out via em1
01800 queue 22 ip4 from any to any dst-port 53,5353 in via em1
01900 queue 31 ip4 from any to any dst-port 80,443 out via em1
02000 queue 32 ip4 from any to any dst-port 80,443 in via em1
02100 queue 51 ip4 from any to any dst-port 119,563 out via em1
02200 queue 52 ip4 from any 119,563 to any in via em1
02300 queue 41 ip4 from any to any out via em1
02400 queue 42 ip4 from any to any in via em1
65000 allow ip from any to any
65535 deny ip from any to any

The War on Mother’s, Father’s, Christmas et al Days

In response to the following article, I was going to leave this as a comment to someone else posts, but decided to make this a personal post/rant in a more general area – are us lefties too politically correct ?

An open letter to pastors (A non-mom speaks about Mother’s Day)

Even though I am a man of 40 years old and child-less(*) man, luckily, I don’t believe in or practice any of these mythologies, so a hypocritical old child-less white man’s sanction or support from a conceived supreme being – is pretty meaningless for me.

(*I’ve always want children/family, role of mother of my children has been open and unfilled for a long time.)

Bill Maher sums it up – “democrats have gone from the party that protects people, to the party that protects feelings”.

However, there are always two sides to every coin. There is the one desire to celebrate/recognize certain accomplishments or sacrifices that others have not or could not do. Does that mean we should be insensitive to those that could not or didn’t ? And at the same time, while we are attempting to celebrate the ones that did, we don’t want to comprise their accomplishments or ruin their day, we can do that the other 364.

I’m not talking just about Mother’s day, Father’s Day … how about Valentine’s day ? Christmas ? Thanksgiving ? Veterans Day ?

I’m pretty sure that is why the religious right has this idea of a ‘war on Christmas’. Because some what to be more inclusive to minorities, others start to feel pushed out. And in the War on Christmas, maybe finally so for the white christians, here’s a taste of your own exclusion.

Mother’s and Father’s day don’t bother me that much. My immediately family never put a lot weight on celebrating these days in the first place. Plus, I still have my parents in my life. I know a Facebook friend, suddenly lost her mother and is having a difficult time with mother’s day approaching. I have no clue how I’d feel in that case.

I can (and hopefully one day) will father some children. However, I not likely gonna to pick up a gun and serve in our military. And, because one couldn’t get into college or didn’t have the money to do so, they choose to enlist – why should I celebrate their decision ? (Now, if drafted, that is different.) No body throws me a party because I choose to go to WashU over University of Missouri – Rolla.

I know motherhood has a biological clock that complicates things, but should we feel sad, and take away and get distracted by those that didn’t or couldn’t – wanting attention on a day we set aside to honor someone else ?

I appreciate learning about the feelings of others, especially when often overlooked. However, if it is someone else’s birthday, do you interrupt their celebration commenting that it’s not your birthday and you are feeling left out ?

Average Citizens AHCA Raw Bill Review – Part 1

So, What can an average, well-educated person get from reading the AHCA ?

Disclaimer, I’m a liberal, Sanders-Democrat living in Silicon Valley area of California. I’m currently enrolled in an individual plan, covered by the ACA, but NOT purchased via Covered California web site – but directly from the private insurance company. I am not a politician and have no legal education or background. I have an Engineering education and BS.

Source is the raw PDF. From the U.S. Government Publishing Office

ACA (Certified full-text version) can be found  over on HeathCare.gov and the GPO

My markup will be color coded like this.

SECTION 1. SHORT TITLE.

‘‘American Health Care Act of 2017’’ – not too much to interrupt here.

TITLE I—ENERGY AND COMMERCE Subtitle A—Patient Access to Public Health Programs

SEC. 101. THE PREVENTION AND PUBLIC HEALTH FUND.

(b) RESCISSION OF UNOBLIGATED FUNDS  – From what I can tell, looking at Section 4002 of the ACA, this repeals all the money/funding for the “Prevention and Public Health Fund”  – which looks like is general money for the Department of Health and Human Services – so this is a budget cut

SEC. 102. COMMUNITY HEALTH CENTER PROGRAM.

Looks like it adds $422 billion to the Medicare Access and CHIP Reauthorization Act of 2015

SEC. 103. FEDERAL PAYMENTS TO STATES.

This seems to cut the ACA’s expanded medicaid, but unsure.

Subtitle B—Medicaid Program Enhancement

SEC. 111. REPEAL OF MEDICAID PROVISIONS & SEC. 112. REPEAL OF MEDICAID EXPANSION.

All kinds of complication diffs and patches to the ACA and other laws, but the title is pretty clear … this is the repeal of the explained medicaid. Legal details, and dates included here.

(c) SUNSET OF ESSENTIAL HEALTH BENEFITS REQUIREMENT.

Section 1937(b)(5) of the Social Security Act (42 U.S.C. 1396u–7(b)(5)) is amended by adding at the end the following: ‘‘This paragraph shall not apply after December 31, 2019.’’.

Expiring the ACAs essentials health benefits as of Dec 31, 2019.

SEC. 113. ELIMINATION OF DSH CUTS.

Changes the date of some Section 1923(f) of the Social Security Act – which I did not look up – from 2025 to 2019. As well as details I believe regarding this repeal and how expanded and non-expanded state are handle per this law.

SEC. 114. REDUCING STATE MEDICAID COSTS.

(a)LETTING STATES DISENROLL HIGH DOLLAR LOTTERY WINNERS.

There is a lot of detail and conditions here, but I interpret this as allowing states to un-enroll lottery winners

(c) ENSURING STATES ARE NOT FORCED TO PAY 13 FOR INDIVIDUALS INELIGIBLE FOR THE PROGRAM

This allows the states to verify citizenship and other details of how a state can treat anyone that they suspect of not being a US citizen.

(d) UPDATING ALLOWABLE HOME EQUITY LIMITS IN MEDICAID

Not clear what this does

SEC. 115. SAFETY NET FUNDING FOR NON-EXPANSION STATES.

some funding stuff, “safety net” as a result for repealing expanded medicaid.

SEC. 116. PROVIDING INCENTIVES FOR INCREASED FREQUENCY OF ELIGIBILITY REDETERMINATIONS.

Looks like details and dates on how to remove people from the medicaid expansion


Ok – enough for now … Stop at page 29, Subtitle C. Look for Part 2.