Openvpn & PF issues

[strycer]

I'm having some issues with my openbsd openvpn server. My locally attached clients can browse the internet and do what I expect them to be able to do; however, my vpn clients can connect to the openvpn but not much else. The vpn clients can ping locally attached computers through the vpn. Most other traffic doesn't go through (such as VNC or HTTP), but somehow RDP works.

My local subnet is 10.7.30.0/24 and the vpn's subnet is 10.7.28.0/24. Anyone have an idea what my pf.conf is missing or shouldn't have?

My openvpn.conf
daemon openvpn
#chroot /usr/local/openvpn-2.0/jail

port 443
proto tcp-server
dev tun1
server 10.7.28.0 255.255.255.0
tls-server
dh /etc/ssl/dh2048.pem
ca /etc/ssl/CA_cert.pem
cert /etc/ssl/certs/Cserv.pem
key /etc/ssl/keys/Kserv.pem
crl-verify /etc/ssl/crl/crl.pem

#mtu-test
#for UDP only
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450

keepalive 15 120
user nobody
group nobody
persist-key
persist-tun

push "route 10.7.30.0 255.255.255.0"
#push .dhcp-option DOMAIN domain.net.
#dns domain suffix
#push .dhcp-option DNS x.x.x.x.
#push .dhcp-option WINS x.x.x.x.

#push .redirect-gateway.
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log

tls-auth /etc/ssl/ta.key 0
comp-lzo
verb 4
mute 20


My pf.conf:
# Block those DDOS people
set limit { states 20000, frags 20000 }

# Optimize those packets!
set optimization aggressive

# Ha you know you were blocked!
set block-policy return

ext_if = "ne3"
int_if = "fxp0"
vpn_if = "tun1"

# Apparently this helps with something way above my head
TCP_OPTIONS = "flags S/SAFRUP keep state"

# List of private nets
# http://www.iana.org/assignments/ipv4-address-space
# http://rfc.net/rfc1918.html
reserved = " {
0.0.0.0/8, 10.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8,
169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16,
224.0.0.0/3, 255.255.255.255 } "
#reserved = " { 169.254.0.0/16} "

# Things opened to server
tcp_services = "{ 22, 443,1723 }"

# Linboxen stuff i open in/out
linboxen = "10.7.30.100"

# We are going to block ssh people trying to hack in
table <sshscan> persist

# There is a rule if you want to set what internal network has access to
allowed_outgoing = "{ ssh, smtp, finger, http, https, pop3, nntp, cvspserver,
5190, 6667 , 7070, 11371 }"

####
# scrub rules.
#

# scrub in all # borks with linux nfs
scrub in on $ext_if all # so we do it only on ext_if
scrub in on $int_if all no-df # but no-df fixes it again
scrub in on $vpn_if all no-df

####
# Nat rules
#

nat on $ext_if inet from $int_if/24 to any -> ($ext_if)

# Let ssh go to linboxen if connect is on 2222
#rdr on $ext_if inet proto tcp from any to ($ext_if) port 2222 -> $linboxen port ssh
rdr on $ext_if inet proto tcp from any to ($ext_if) port 3724 -> 10.7.30.100 port 3724
rdr on $ext_if inet proto tcp from any to ($ext_if) port 6112 -> 10.7.30.100 port 6112

# FTP Proxy
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
#rdr on $vpn_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

####
# pf rules
#

# remove the log-keyword if im getting ganked by crackers ddossed.
block out log on $ext_if all
block in log on $ext_if all

# Try a fake return scan on me....HA!
block return-rst out on $ext_if proto tcp all
block return-rst in on $ext_if proto tcp all
block return-icmp out on $ext_if proto udp all
block return-icmp in on $ext_if proto udp all

# screw with nmap
block in log quick proto tcp flags FUP/WEUAPRSF
block in log quick proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick proto tcp flags SRAFU/WEUAPRSF
block in log quick proto tcp flags /WEUAPRSF
block in log quick proto tcp flags SR/SR
block in log quick proto tcp flags SF/SF

# silently drop broadcasts (cable modem noise)
block in quick on $ext_if from any to 255.255.255.255

# Lame people get blocked here
block in log quick on $ext_if from 219.239.88.152

####
# ALIENS/SPOOFERS
#

# These guys must be spoofing.
block in quick on $ext_if from $reserved to any
block out quick on $ext_if from $reserved to any

# antispoof _has_ to be preceeded with pass in quick on lo0 all.
pass in quick on lo0 all
#antispoof for { lo0, $int_if, $ext_if, $vpn_if }
antispoof for { lo0, $ext_if }
####
# ICMP
#

# Only let ping in and out
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state

####
# UDP
#

# outgoing UDP
pass out quick on $ext_if proto udp all keep state

# incoming UDP

####
# TCP
#
# TEST
#pass out quick on $int_if inet proto tcp from $vpn_if to any
#pass out quick on $vpn_if inet proto tcp from $int_if to any
#pass in quick on $int_if inet proto tcp from $vpn_if to any
#pass in quick on $vpn_if inet proto tcp from $int_if to any
pass out on $int_if from $int_if to 10.7.28.0/24 keep state

####
# Outgoing TCP

# This is easy: pass out all TCP connections. I think I can trust the inside network
pass out quick on $ext_if proto tcp all keep state queue std_out

# This is much more secure. Exploits like with bind/irssi configure
# scripts wont work any more. But it's more work.
# Protocols allowed to get out.
# pass out quick on $ext_if inet proto tcp from $ext_if to \
# any port $allowed_outgoing keep state

# # FTP proxy to allow passive connections to go out:
pass out quick on $ext_if inet proto tcp from ($ext_if) to any port ftp $TCP_OPTIONS
pass out quick on $ext_if inet proto tcp from ($ext_if) to any user proxy $TCP_OPTIONS

# # FTP Proxy to allow active connections to get in:
pass in quick on $ext_if inet proto tcp from any to ($ext_if) user proxy $TCP_OPTIONS

####
# Incoming TCP

# This is the list with specific services that are allowed on my
# machines.
#pass in quick on $ext_if inet proto tcp from any to (ext_if) port $server $TCP_OPTIONS

# to the server!
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state

# Block script kiddies trying to get in on ssh
block in log quick on $ext_if proto tcp from <sshscan> to any port 22

 

[big daddy fatsacks]

well i don't have the time to pour over that right at the moment. but i will say this- your stuff looks pretty good, but not quite the way i would do it.

1) your initial block rules should just be block all coming in and block all going out. do not specify an interface like that. just block all packets coming in or going out of any interface.

2) do not trust anything. this INCLUDES the local network. only open channels for specific things you know you want to allow- both incoming and outgoing.

3) i don't see much in the way of incoming allowed connections. this is probably why your vpn does not work.

in order to solve this you are most likely going to need to do a couple of things:
1) run the pf command that shows stats. if you reload your rules it will clear the counters so reload. then connect to the vpn, try to get to the local resources you want, then run the pf command to see stats. see which rules are coming up as blocking pkts.

2) do the same thing, but run tcpdump on both the vpn and the lan interface. see if pkts are shwing up on one, but not the other. then you know they're getting blocked in the middle there. if they show up coming in the vpn interface, AND going out the lan interface, but the responses never appear you know you have a problem with the return rules. usually modulate state is an easy way to fix that.

i think the main thing though is to add macros for your subnets you are using. then add a couple rules similar to this:
pass in on $tun1 from $vpn_net to $lan_net modulate state
pass out on $int_if from $vpn_net to $lan_net modulate state

also, you might want to try this over at www.bsdforums.org.

cheers,
big boi