VPN through NAT - BSD

This is a discussion on VPN through NAT - BSD ; Hi! We are running an OpenBSD Firewall with Nat'ing quite a time sucessfully now. But recently someone wanted to make a VPN connection through the firewall to an outside VPN-Server, and well this doesn't work :-( Please note, that the ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: VPN through NAT

  1. VPN through NAT

    Hi!

    We are running an OpenBSD Firewall with Nat'ing quite a time sucessfully
    now. But recently someone wanted to make a VPN connection through the
    firewall to an outside VPN-Server, and well this doesn't work :-(

    Please note, that the firewall itself is also itself a VPN server for
    users to connect into from here outside so "sysctl net.inet.gre.allow=0"
    might not be a good idea.

    (possibly) relevant data from /etc/pf.conf:
    -----------------------
    ext_if = [external interface]
    mit_if = [an internal interface]

    set skip on lo0 # Loopback interface is completly ignored
    set timeout { udp.first 300, udp.single 150, udp.multiple 900 }

    scrub in all

    # users from 172.17.19.0 to 172.17.19.128 get their own bitmask ip address
    nat on $ext_if from 172.17.19.0/25 to any -> [my IP adress-pool]/25
    bitmask static-port

    block all

    # quick-drop private networks on external interface... they should not
    happen
    block drop in quick on $ext_if from $priv_nets to any
    block drop out quick on $ext_if from any to $priv_nets


    # allow local tcp services (ssh)
    pass in on $ext_if inet proto tcp from any to $styx_ip port
    $local_tcp_services flags S/SA keep state
    pass in on $ext_if inet proto tcp from any to $ext_ip port
    $local_tcp_services flags S/SA keep state

    # allow pings
    pass in inet proto icmp all icmp-type $icmp_types keep state

    # allow internal traffic
    pass in on $mit_if from $mit_nets to any keep state

    # allow fw itself to access intern network
    pass out on $mit_if from any to $mit_if:network keep state

    # allow outside trafic
    pass out on $ext_if proto tcp all
    pass out on $ext_if proto { udp, icmp, gre, esp} all keep state

    # Totally allow gre, esp
    pass in quick proto {gre, esp} from any to any keep state
    pass out quick proto {gre, esp} from any to any keep state

    # some suggestion for VPNs it tried -> does not work
    pass in quick on $ext_if inet proto udp from any to any port = 500

    ---
    Oh yes Im runnning OpenBSD 3.9

    Any help / hints are apreciated.
    Greetings.

  2. Re: VPN through NAT

    Axel Kittenberger wrote:
    > We are running an OpenBSD Firewall with Nat'ing quite a time sucessfully
    > now. But recently someone wanted to make a VPN connection through the
    > firewall to an outside VPN-Server, and well this doesn't work :-(
    >

    What sort of VPN server? My corpnet uses MS PPTP, and all I had to do
    was add

    pass out on $ext_if inet proto gre all keep state

    to the default 4.0 ruleset.

  3. Re: VPN through NAT

    > What sort of VPN server? My corpnet uses MS PPTP, and all I had to do
    > was add
    >
    > pass out on $ext_if inet proto gre all keep state
    >
    > to the default 4.0 ruleset.


    Yes PPTP VPN.

    Do you use NAT? Or just route through BSD?

    Maybe the problem is my bsd kernel has GRE enabled as well? (Since it
    runs intself a PPTP VPN Server also) (Yes I know pptp is bad, but at
    that time it was the easiest for the clients...)

    Greetings,

  4. Re: VPN through NAT

    Axel Kittenberger wrote:
    >> What sort of VPN server? My corpnet uses MS PPTP, and all I had to do
    >> was add
    >>
    >> pass out on $ext_if inet proto gre all keep state
    >>
    >> to the default 4.0 ruleset.

    >
    > Yes PPTP VPN.
    >
    > Do you use NAT? Or just route through BSD?
    >

    Yup. The BSD box has an IP, and NATs all traffic through the external
    interface.

    > Maybe the problem is my bsd kernel has GRE enabled as well? (Since it
    > runs intself a PPTP VPN Server also) (Yes I know pptp is bad, but at
    > that time it was the easiest for the clients...)
    >

    Perhaps -- not sure what you would have to do here, since GRE packets
    coming in would have to be filtered depending on if they were for an
    internal host or the local PPTP.

    If I remember correctly, redirecting and NAT takes place before
    filtering, so maybe a rule set could be created that takes advantage of
    that?

  5. Re: VPN through NAT [Solution]

    It works when

    either changing
    > nat on $ext_if from 172.17.19.0/25 to any -> [my IP adress-pool]/25 bitmask static-port


    to
    binat on $ext_if from 172.17.19.0/25 to any -> [my IP adress-pool]/25
    bitmask static-port

    OR adding before the nat rule 2 redirects for port 1723 and GRE:
    rdr on $ext_if proto tcp from any to [my IP adress-pool] port 1723 ->
    172.17.19.0/25 port 1723 bitmask
    rdr on $ext_if proto gre from any to [my IP adress-pool] ->
    172.17.19.0/25 bitmask

    nat on $ext_if from 172.17.19.0/25 to any -> [my IP adress-pool]/25
    bitmask static-port

    I'm not really sure which is better, I went now for the second, since I
    want to obfuscate at least a bit internal port usage to the web....

    - Axel Kittenberger

+ Reply to Thread