On Nov 16, 2007 2:39 PM, Juan Miscaro <scry_mr@yahoo.ca> wrote:
I combined authpf with OpenVPN, using some big hints from some easily
google-able places. Even though WEP and WPA aren't supported by
OpenBSD, I still wanted to have authenticated and encrypted traffic.
This might be overkill for some but it works for me.
After setting up the wireless interface to dhcpd a private netblock, I
locked it down with pf:
block in on $wlan_if
pass in on $wlan_if proto udp to port { bootps, bootpc }
pass in on $wlan_if proto udp to ($wlan_if:0) port domain
pass in on $wlan_if proto tcp to ($wlan_if:0) port ssh
Then I setup authpf to allow authenticated users the ability to
connect to the VPN:
pass in on $wlan_if proto udp from <authpf_users> to ($wlan_if:0) port 1194
Next I configured OpenVPN in routed mode. It hands out IPs from yet
another private netblock I have permanently attached to lo1.
Finally, I treat the tun0 interface like a semi-trusted wired
interface in pf and apply my standard list of allowable client
applications:
client_if = "{ sk0, tun0 }"
pass in on $client_if proto udp to port $udp_client_ports
pass in on $client_if proto tcp to port $tcp_client_ports
This obviously isn't my full pf.conf, and care must be taken because
the rules are highly dependent on order. My initial setup took nearly
a full day to configure and troubleshoot, since I had to get pf,
authpf, dhcpd, named, and OpenVPN to all cooperate. I found that
selectively allowing and denying ICMP was of great assistance while
testing pf rules and tcpdump to be essential when I had other services
misconfigured.
Windows and OS X OpenVPN clients are readily available and
configuration is easy if you understood what you were doing when
setting up the OpenVPN server.
Although I feel like I've got a good handle on all the interactions
here, I'm no professional and if there are any gaping holes in this
setup, I am eager to hear about them. I plan to investigate IPSEC in
the near future, which may be an alternative.
--david
