Index: branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf =================================================================== --- branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf (revision 11480) +++ branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf (revision 11543) @@ -27,7 +27,8 @@ # Default configuration for ALIX2 with vr0 as external interface and wlan0 as # the public accesspoint in iLeiden setup, no aliases on interfaces. -#ext_ip="(vr0:0)" -#ext_if="vr0" -ext_ip=$ext_if:0 +ext_if="vr0" +ext_ip="(vr0:0)" +inet_if="vr0" +inet_ip="(vr0:0)" captive_portal_interfaces="wlan0" publicnat="http,https" @@ -54,5 +55,5 @@ # Nat the internet for iLeiden functionality (1) -nat on $ext_if inet proto tcp from $wl_net to ! $wl_net port { $publicnat } -> $ext_ip +nat on $inet_if inet proto tcp from $wl_net to ! $wl_net port { $publicnat } -> ($inet_if) @@ -84,4 +85,5 @@ # External interface is permissive (4) block on $ext_if inet from any to !$wl_net +block on $inet_if inet from any to !$wl_net # Allow internal WL traffic on alias $ext_if interfaces (5) @@ -98,5 +100,5 @@ # Packets going out are the ones to the internet with an certain limit (1) -pass out on $ext_if inet proto tcp from $wl_net to any port { $publicnat } keep state \ +pass out on $inet_if inet proto tcp from $wl_net to any port { $publicnat } keep state \ (max-src-conn-rate 100/10, max-src-conn 10) @@ -104,5 +106,14 @@ pass out on $ext_if inet proto udp from $ext_if to any port { $allow_ext_out_udp } keep state pass out on $ext_if inet proto tcp from $ext_if to any port { $allow_ext_out_tcp } keep state -pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq } +pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq, trace } + +# For proper functioning allow the local machine to initiate requests outside + vpn (4) +pass out on $inet_if inet proto udp from $inet_if to any port { $allow_ext_out_udp } keep state +pass out on $inet_if inet proto tcp from $inet_if to any port { $allow_ext_out_tcp } keep state +pass out on $inet_if inet proto icmp from $inet_if to any icmp-type { echoreq, trace } + +# Uncomment to UDP traceroute from this host to start +#pass out on $ext_if inet proto udp from $ext_if to any port 33434 >< 33464 keep state +#pass out on $inet_if inet proto udp from $inet_if to any port 33434 >< 33464 keep state # Do not allow connections to the local MGNT LAN to start (3) Index: branches/releng-9.0/nanobsd/files/usr/local/etc/openvpn/README =================================================================== --- branches/releng-9.0/nanobsd/files/usr/local/etc/openvpn/README (revision 11543) +++ branches/releng-9.0/nanobsd/files/usr/local/etc/openvpn/README (revision 11543) @@ -0,0 +1,4 @@ +Make sure to get the following files via the regular channels: + - ta.crt + - client.crt + - client.key Index: branches/releng-9.0/nanobsd/files/usr/local/etc/openvpn/ca.crt =================================================================== --- branches/releng-9.0/nanobsd/files/usr/local/etc/openvpn/ca.crt (revision 11543) +++ branches/releng-9.0/nanobsd/files/usr/local/etc/openvpn/ca.crt (revision 11543) @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID1DCCAz2gAwIBAgIJAMuFpZ8EVuBOMA0GCSqGSIb3DQEBBQUAMIGjMQswCQYD +VQQGEwJOTDELMAkGA1UECBMCWkgxDzANBgNVBAcTBkxlaWRlbjEXMBUGA1UEChMO +dmFuZGVyendldC5uZXQxETAPBgNVBAsTCGNoYW5nZW1lMREwDwYDVQQDEwhjaGFu +Z2VtZTERMA8GA1UEKRMIY2hhbmdlbWUxJDAiBgkqhkiG9w0BCQEWFWluZm9Acmlj +a3ZhbmRlcnpldC5ubDAeFw0xMjA4MjExOTE4MjlaFw0yMjA4MTkxOTE4MjlaMIGj +MQswCQYDVQQGEwJOTDELMAkGA1UECBMCWkgxDzANBgNVBAcTBkxlaWRlbjEXMBUG +A1UEChMOdmFuZGVyendldC5uZXQxETAPBgNVBAsTCGNoYW5nZW1lMREwDwYDVQQD +EwhjaGFuZ2VtZTERMA8GA1UEKRMIY2hhbmdlbWUxJDAiBgkqhkiG9w0BCQEWFWlu +Zm9Acmlja3ZhbmRlcnpldC5ubDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA +t8FVNijxrHm67kLjTLuKM+9vkjzaDA5N+9djKFWsUuxfx2WxLjc2SmKAllhETOl+ +bhDp91ChJptTulhpiRBjb4/pqV9iaYg6siQuHeZUfyWMzikr+I8CfJwe7AAlyBh0 +ks+jLQa6kVPWq7AKd8ISv52+gsCF+x38osxP67M/v+8CAwEAAaOCAQwwggEIMB0G +A1UdDgQWBBSVw2BC0+BbP9zPWxfAuI8GuubgCjCB2AYDVR0jBIHQMIHNgBSVw2BC +0+BbP9zPWxfAuI8GuubgCqGBqaSBpjCBozELMAkGA1UEBhMCTkwxCzAJBgNVBAgT +AlpIMQ8wDQYDVQQHEwZMZWlkZW4xFzAVBgNVBAoTDnZhbmRlcnp3ZXQubmV0MREw +DwYDVQQLEwhjaGFuZ2VtZTERMA8GA1UEAxMIY2hhbmdlbWUxETAPBgNVBCkTCGNo +YW5nZW1lMSQwIgYJKoZIhvcNAQkBFhVpbmZvQHJpY2t2YW5kZXJ6ZXQubmyCCQDL +haWfBFbgTjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAJOclPr/uFFF +aozVW0XUeNs9S9YM/VEQ7OSW5ZPgy9AH1WTZ+LoVfS5kT05qODMh3b3SkLk8sYiW +TZJqyR7n8Tdf8MZrfZncJfmox0iWo30BIlMd+99z5pj35SxVA5euzlxkFhGjGHI+ +hSIuUUxMAGlYrjVeAZCZxUgN+v5xz+5R +-----END CERTIFICATE----- Index: branches/releng-9.0/nanobsd/files/usr/local/etc/openvpn/client.conf =================================================================== --- branches/releng-9.0/nanobsd/files/usr/local/etc/openvpn/client.conf (revision 11480) +++ branches/releng-9.0/nanobsd/files/usr/local/etc/openvpn/client.conf (revision 11543) @@ -10,5 +10,4 @@ # file so it has a .ovpn extension # ############################################## - # Specify that we are a client and that we # will be pulling certain config file directives @@ -21,6 +20,5 @@ # unless you partially or fully disable # the firewall for the TUN/TAP interface. -dev tap0 -;dev tun +dev tun # Windows needs the TAP-Win32 adapter name @@ -42,5 +40,5 @@ ;remote my-server-1 1194 ;remote my-server-2 1194 -remote openvpn.network.wirelessleiden.nl 1194 +remote openvpn.pool.wirelessleiden.nl. 1194 # Choose a random host from the remote @@ -106,5 +104,5 @@ # If a tls-auth key is used on the server # then every client must also have the key. -;tls-auth ta.key 1 +tls-auth /usr/local/etc/openvpn/ta.key 1 # Select a cryptographic cipher. @@ -132,2 +130,5 @@ # Make sure to keep some traffic running, to keep the Firewall (NAT) state tables in between happy. keepalive 2 24 + +# Keep trying +resolv-retry infinite