Deploying a FreeBSD OpenVPN Router with PF
FreeBSD 12.1
# pkg update
# pkg install openvpn screen bash tinyproxy tor curl
pf.conf:
int="hn0"
tun="tun0"
tcp_state="flags S/SAFR modulate state"
udp_state="keep state"
icmp_types="icmp-type echoreq"
set block-policy drop
# timeout options
set optimization normal
set timeout { tcp.established 360, tcp.closing 60 }
set skip on lo0
nat on $tun from $int:network to any -> ($tun:0)
#rdr on $int proto { tcp udp } from $int:network to ! $int:0 port 53 -> $int:0
block in log all
pass out all keep state
#antispoof log quick for $int inet
#antispoof log quick for $tun inet
#match out on $ext from $tun:network to any nat-to $ext:0
pass in on $int from $int:network
pass in on $int inet proto tcp from any to $int:0 port 22 $tcp_state
#pass in on $tun from any to any
#pass from $tun:network to any keep state
rc.conf:
ifconfig_hn0="inet 10.0.5.5 netmask 255.255.255.0"
defaultrouter="10.0.5.1"
hostname="vpn"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
gateway_enable="YES"
pf_enable="YES"
pf_conf="/etc/pf.conf"
pflog_enable="YES"
sendmail_enable="NO"
sendmail_msp_queue_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
tinyproxy_enable="NO"
tinyproxy_enable=""
tor_enable="NO"
Restart network:
# /etc/netstart
Activate pf, if disabled:
# shutdown -r now