Changeset 11543 in hybrid

Timestamp:

Oct 10, 2012, 9:43:35 PM (12 years ago)

Author:

rick

Message:

Make the concentrator OpenVPN work. Please do mind that it potentially breaks
the code for external interfaces which also have an internal link on it (like
the watertoren setup) and no concentrator setup.

Location:

branches/releng-9.0/nanobsd/files

Files:

• etc/pf.hybrid.conf (modified) (5 diffs)
• usr/local/etc/openvpn/README (added)
• usr/local/etc/openvpn/ca.crt (added)
• usr/local/etc/openvpn/client.conf (modified) (5 diffs)

branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf

@@ -27 +27 @@
 # Default configuration for ALIX2 with vr0 as external interface and wlan0 as
 # the public accesspoint in iLeiden setup, no aliases on interfaces.
-#ext_ip="(vr0:0)"
-#ext_if="vr0"
-ext_ip=$ext_if:0
+ext_if="vr0"
+ext_ip="(vr0:0)"
+inet_if="vr0"
+inet_ip="(vr0:0)"
 captive_portal_interfaces="wlan0"
 publicnat="http,https"
@@ -54 +55 @@
 
 # Nat the internet for iLeiden functionality (1)
-nat on $ext_if inet proto tcp from $wl_net to ! $wl_net port { $publicnat } -> $ext_ip
+nat on $inet_if inet proto tcp from $wl_net to ! $wl_net port { $publicnat } -> ($inet_if)
 
 
@@ -84 +85 @@
 # External interface is permissive (4)
 block on $ext_if inet from any to !$wl_net
+block on $inet_if inet from any to !$wl_net
 
 # Allow internal WL traffic on alias $ext_if interfaces (5)
@@ -98 +100 @@
 
 # Packets going out are the ones to the internet with an certain limit (1)
-pass out on $ext_if inet proto tcp from $wl_net to any port { $publicnat } keep state \
+pass out on $inet_if inet proto tcp from $wl_net to any port { $publicnat } keep state \
  (max-src-conn-rate 100/10, max-src-conn 10)
 
@@ -104 +106 @@
 pass out on $ext_if inet proto udp from $ext_if to any port { $allow_ext_out_udp } keep state
 pass out on $ext_if inet proto tcp from $ext_if to any port { $allow_ext_out_tcp } keep state
-pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq }
+pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq, trace }
+
+# For proper functioning allow the local machine to initiate requests outside + vpn (4)
+pass out on $inet_if inet proto udp from $inet_if to any port { $allow_ext_out_udp } keep state
+pass out on $inet_if inet proto tcp from $inet_if to any port { $allow_ext_out_tcp } keep state
+pass out on $inet_if inet proto icmp from $inet_if to any icmp-type { echoreq, trace }
+
+# Uncomment to UDP traceroute from this host to start
+#pass out on $ext_if inet proto udp from $ext_if to any port 33434 >< 33464 keep state
+#pass out on $inet_if inet proto udp from $inet_if to any port 33434 >< 33464 keep state
 
 # Do not allow connections to the local MGNT LAN to start (3)

branches/releng-9.0/nanobsd/files/usr/local/etc/openvpn/client.conf

@@ -10 +10 @@
 # file so it has a .ovpn extension           #
 ##############################################
-
 # Specify that we are a client and that we
 # will be pulling certain config file directives
@@ -21 +20 @@
 # unless you partially or fully disable
 # the firewall for the TUN/TAP interface.
-dev tap0
-;dev tun
+dev tun
 
 # Windows needs the TAP-Win32 adapter name
@@ -42 +40 @@
 ;remote my-server-1 1194
 ;remote my-server-2 1194
-remote openvpn.network.wirelessleiden.nl 1194
+remote openvpn.pool.wirelessleiden.nl. 1194
 
 # Choose a random host from the remote
@@ -106 +104 @@
 # If a tls-auth key is used on the server
 # then every client must also have the key.
-;tls-auth ta.key 1
+tls-auth /usr/local/etc/openvpn/ta.key 1
 
 # Select a cryptographic cipher.
@@ -132 +130 @@
 # Make sure to keep some traffic running, to keep the Firewall (NAT) state tables in between happy.
 keepalive 2 24
+
+# Keep trying
+resolv-retry infinite