tag:blogger.com,1999:blog-2687870468506445300.post3746051735123468799..comments2024-03-09T07:05:56.532+01:00Comments on Network Filter: BE YOUR OWN VPN PROVIDER WITH OPENBSD (v2)Guillaume Kaddouchhttp://www.blogger.com/profile/14646179323194334376noreply@blogger.comBlogger26125tag:blogger.com,1999:blog-2687870468506445300.post-64369820815591187172018-05-24T20:13:19.619+02:002018-05-24T20:13:19.619+02:00Thanks for your comments ! I'll look into the ...Thanks for your comments ! I'll look into the suggestions when I'll check again that setup, but I'm on something else now( will be a future article in June or July ;-)<br /><br />Thanks for the information that it is still ok for 6.3.Guillaume Kaddouchhttps://www.blogger.com/profile/14646179323194334376noreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-34974408772350578552018-05-24T15:58:20.423+02:002018-05-24T15:58:20.423+02:00Hi,
I think, there are small fixes for your arti...Hi, <br /><br />I think, there are small fixes for your article:<br /><br />$ doas mkdir -p /var/openvpn/{tmp,<b>_</b>public}<br /><br />Also I think that you have to set owner as _openvpn for <b>/var/openvpn/public/crl.pem</b>.<br /><br />Your howto works for 6.3 perfectly. Thank you for your work!sshhttps://www.blogger.com/profile/04642650288026824943noreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-64152575860161897142018-05-23T18:46:01.533+02:002018-05-23T18:46:01.533+02:00Hi Scott,
I have not tried with OpenBSD 6.3, but ...Hi Scott,<br /><br />I have not tried with OpenBSD 6.3, but while minor adaptations are to be expected, I suppose it is still applicable.<br /><br />GuillaumeGuillaume Kaddouchhttps://www.blogger.com/profile/14646179323194334376noreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-38665960544213722062018-05-23T15:32:12.699+02:002018-05-23T15:32:12.699+02:00Hi Guillaume...do you know if this is still applic...Hi Guillaume...do you know if this is still applicable for OpenBSD 6.3?<br /><br />Thanks<br />Scott Wellsnoreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-78602787854172925932018-05-22T19:19:06.060+02:002018-05-22T19:19:06.060+02:00Hi,
Thanks for your comments :) Yes it is possibl...Hi,<br /><br />Thanks for your comments :) Yes it is possible to write a pf.conf without relying on tags. Tags are easy to understand 1) you tag traffic based on some criteria (this does not allow or drop any traffic) 2) you filter your traffic based on tags. For instance, instead or filtering from X IP with X protocol and X port toward X destination but not Y destination, you filter on the "LAN_OUT" tag. That is purely a personal preference, and is by no mean the only way to filter. You can filter/NAT directly what is going out of the tun0 interface, if that is clearer to you.<br /><br />GuillaumeGuillaume Kaddouchhttps://www.blogger.com/profile/14646179323194334376noreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-75705832138738881112018-05-22T03:07:49.505+02:002018-05-22T03:07:49.505+02:00Hello,
Fantastic article and very detailed. Very m...Hello,<br />Fantastic article and very detailed. Very much appreciate the input and your expertise. <br />I am having quite bit trouble with the Firewall and wanted to learn more about how PF works. Could the "pf.conf" be written in such a way that it is rules based only? I am getting confused by the "TAG" statements. Especially how the NAT is working with "tun0" to allow vpn clients to connect to the internet. Many thanksAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-91128707126166940852018-02-26T04:05:49.022+01:002018-02-26T04:05:49.022+01:00This tutorial is exactly what I was looking for. I...This tutorial is exactly what I was looking for. It is incredibly detailed, but I can't quite get it to function correctly. Almost there I hope. Regarding pf_show_tables.py, I had to follow Thomas advice regarding line 85 and changed line 96 to "if count == max: sys.exit()". Don't listen to me though. Mine still doesn't work and I think I put this comment here for me, not for you.<br />Thank You!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-15550064675640569692018-02-17T12:35:13.864+01:002018-02-17T12:35:13.864+01:00Awesome article, thanks for it !
Instead of use u...Awesome article, thanks for it !<br /><br />Instead of use unbound with forward-addr to 127.0.0.1@, I create 2 loopback interface and set forward-addr to 127.0.0.[23].<br />I got some troubles with unbound because of DNSSEC so I want to add the dnscrypt-proxy in the resolv.conf file.<br /><br />It's work ! :)<br /><br />So, what do you thin about it ?<br /><br />After I disable auto-trust-anchor-file: in unbound conf than unbound work great again.<br /><br />Thank you again<br /><br />What do you think about it ?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-51036781581626961522017-12-29T17:00:54.195+01:002017-12-29T17:00:54.195+01:00Hi i just went through your tutorial and had some ...Hi i just went through your tutorial and had some issues. In the end i could finish the installation and can connect via my iphone. Could we somehow get in contact so i can give you some update information for the tutorial based on OpenBSD 6.2. I really like your tutorial very well written. Best, AlexAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-56120506357658411042017-08-23T00:35:17.770+02:002017-08-23T00:35:17.770+02:00Thanks a lot for this, how can I remove dnscrypt-p...Thanks a lot for this, how can I remove dnscrypt-proxy servers that have gone bad?Joe Kingshttps://www.blogger.com/profile/04999598801118910397noreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-63421321028328073052017-08-17T18:07:22.757+02:002017-08-17T18:07:22.757+02:00Hi, and thanks for writing this post. It really in...Hi, and thanks for writing this post. It really inspired me to do some long overdue changes and updates for my OpenBSD box. <br /><br />I did have an issue with pf_show_tables.py and one correction:<br /><br />When I run the script, I get the following error:<br /><br />Traceback (most recent call last):<br /> File "./pf_show_tables_orig.py", line 49, in <br /> port = ip.split('.')[4]<br />IndexError: list index out of range<br /><br />My python-foo is rather rusty, but it maybe has something do with the ip not being formatted as expected? x.x.x.x:port and not x.x.x.x.port? I'm probably way off but anyway, some hints or a fix would be much appreciated! <br /><br />On line 85, you probably want a comment before 127.0.0.1 etc., because otherwise it results in a syntax error. <br /><br />Thanks again!Thomashttp://deliri.usnoreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-89742888332726640672017-08-09T15:44:52.201+02:002017-08-09T15:44:52.201+02:00Awesome, thank UAwesome, thank UAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-77653975145404211022017-07-20T21:01:52.218+02:002017-07-20T21:01:52.218+02:00As OpenVPN is explained after IPSEC which uses mor...As OpenVPN is explained after IPSEC which uses more than one protocol (IKE/AH/ESP), this means that OpenVPN only uses TLS which is the same protocol you use when accessing HTTPS websites.<br /><br />GuillaumeGuillaume Kaddouchhttps://www.blogger.com/profile/14646179323194334376noreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-68149496005695211442017-07-19T19:23:46.023+02:002017-07-19T19:23:46.023+02:00"OpenVPN is a SSL VPN and does not use a sepa..."OpenVPN is a SSL VPN and does not use a separate VPN protocol."<br /><br />This is quite difficult to understand, perhaps you could rephrase it. Thanks for the article.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-49686995350803859282017-07-13T23:59:58.593+02:002017-07-13T23:59:58.593+02:00Thank you gentlemen; I realized my mistake and all...Thank you gentlemen; I realized my mistake and all is good now.<br /><br />Guillaume, I'm wondering why you created the SSH keys on the server, instead of the client side (i.e. just having the private key on the client machine); is it because you have a Windows client, or was there another reason?!<br /><br />Nevertheless, I'm behind Dariusz in my setup and will get to the DNS setup this weekend; when I'm done, I leave a comment about my experience and if I had issues with dnscrypt.<br /><br />Thanks.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-48466673772097501982017-07-13T21:15:49.133+02:002017-07-13T21:15:49.133+02:00Sometimes DNS crypt servers are "up" (an...Sometimes DNS crypt servers are "up" (answer to pings) but do not reply any more to DNS queries. That's why I advvise to setup at least two dnsproxy daemon, I even have 3 on my setup. Add more as shown in the article, and try again.<br /><br />Also, what is your pf ruleset ? If unbound is listening on 127.0.0.1:53 and is forwarding DNS requests to dnscrypt on 127.0.0.1:4040, then dnscrypt should be able to go out on UDP 443, if the firewall allows it. Hence knowing your pf ruleset would be useful.<br /><br />Alternatively, for debugging purpose, you can try with a basic pf ruleset :<br />pass all<br />match out on egress nat-to egress<br /><br />GuillaumeGuillaume Kaddouchhttps://www.blogger.com/profile/14646179323194334376noreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-29815450919325446802017-07-13T21:13:33.221+02:002017-07-13T21:13:33.221+02:00Strange thing happened - after I installed everyth...Strange thing happened - after I installed everything for the fourth time and it still didn't work, I decided to create a snapshot and then I restored the server from it. Now it works nice, with two instances of dnscrypt_proxy. Instead of VPN, I'm using an SSH tunnel - only for viewing full content on Netflix. And here's my other challenge - would it be possible to set a rule in pf (on my home OpenBSD router) to redirect all traffic from one IP address (chromecast device) to the tunnel which connects to my VPS?Anonymoushttps://www.blogger.com/profile/12693220073630448077noreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-32254253681173677082017-07-12T12:30:05.124+02:002017-07-12T12:30:05.124+02:00Hi,
Before writing my previous comment, I followe...Hi,<br /><br />Before writing my previous comment, I followed all steps three times: on my home OpenBSD router, on Vultr VPS and on a VirtualBox VM.<br /><br />And then I did it fourth time on Vultr VPS - I reinstalled the system, but this time without full-disk encryption, with default pf settings, one dnscrypt_proxy instance and with no python scripts - to keep things simple.<br /><br />I used port 4040 for dnscrypt_proxy, nestat shows it's listening. rcctl ls on shows both services are running, DNS server in Danemark is up (77.66.84.233). Previously I was using port 40 - the result was the same.<br /><br />I don't get it. For a moment it worked - nslookup showed I was using 127.0.0.1 for name resolution, I could ping other hosts, but after I did rcctl stop unbound and rcctl start unbound (both with messages "unbound(ok)") - it stopped working.<br /><br />Here are my config files: https://pastebin.com/raw/iwL2DGWP<br /><br />I'll be most obliged if you help me solve this mystery.Anonymoushttps://www.blogger.com/profile/12693220073630448077noreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-49692083905953319592017-07-11T21:11:11.165+02:002017-07-11T21:11:11.165+02:00Check your ISO is dismounted, if not the server wi...Check your ISO is dismounted, if not the server will start again on the ISO automatically.<br /><br />GuillaumeGuillaume Kaddouchhttps://www.blogger.com/profile/14646179323194334376noreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-56840795206232555592017-07-11T21:08:32.909+02:002017-07-11T21:08:32.909+02:00You have to check step by step: did you miss any s...You have to check step by step: did you miss any step provided? Are unbound and dnscrypt listening (netstat)? If yes, does the dnscrypt servers you choose are down? Does your firewall rules allow outbound dnscrypt traffic? etc... By checking all those points and with the help of tcpdump, you should be able to see what's wrong.<br /><br />GuillaumeGuillaume Kaddouchhttps://www.blogger.com/profile/14646179323194334376noreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-21350459714309974142017-07-11T09:19:49.633+02:002017-07-11T09:19:49.633+02:00Hey,
just go to the settings of your vps and ejec...Hey,<br /><br />just go to the settings of your vps and eject iso image.Anonymoushttps://www.blogger.com/profile/12693220073630448077noreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-41831138365625061712017-07-10T14:00:58.801+02:002017-07-10T14:00:58.801+02:00Unfortunately, the part with unbound and dnscrypt ...Unfortunately, the part with unbound and dnscrypt doesn't work for me. If I change the nameserver address in resolv.conf to 127.0.0.1 I can't resolve names. If I change back to my previous nameserver - it works but it doesn't go through local unbound + dnscrypt. If you're willing to take a closer look at my case, I'll paste all config files here.Anonymoushttps://www.blogger.com/profile/12693220073630448077noreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-62450981898082247712017-07-10T05:49:34.581+02:002017-07-10T05:49:34.581+02:00This is indeed a detailed and great guide.
However...This is indeed a detailed and great guide.<br />However, I've run into an issue and appreciate some insight.<br />I used Vultr, and custom ISO, And went through the installation process, seemingly with no errors, but after rebooting, I'm back at the prompt for installation!<br />Do I need to mount sd1, or something?<br />Thanks in advance, for any advice.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-2053596024312766962017-05-29T15:57:19.651+02:002017-05-29T15:57:19.651+02:00Magic!Magic!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2687870468506445300.post-77935666602767699022017-05-10T22:09:25.766+02:002017-05-10T22:09:25.766+02:00Thanks for your comments, and glad you like this a...Thanks for your comments, and glad you like this article :-)<br /><br />Regards,<br />GuillaumeGuillaume Kaddouchhttps://www.blogger.com/profile/14646179323194334376noreply@blogger.com