OS X OpenVPN packet filtering

0

I currently have an OpenVPN connection running on my Mac. By default, all of my network traffic is currently being routed through this connection: http, ssh, etc. I'm attempting to use packet filtering configurations to make certain traffic go through my standard 'public' connection, but I can't seem to get this to work. I may be configuring it incorrectly, but below is what I have. I don't receive an error from pfctl about my config, but if I curl http://ipecho.net/plain, it displays the VPN IP instead of my public IP.

Note: my public interface is an ethernet connection (en0) and from what I can tell, utun0 is my OpenVPN connection listed in ifconfig.

pass out on en0 proto tcp from en0 to any port 80 flags S/SA keep state

Same with SSH.

pass out on en0 proto tcp from en to any port 22 flags S/SA keep state

I should mention that I do not manage the OpenVPN server.

alex-phillips

Posted 2015-07-06T17:10:11.057

Reputation: 101

The fact that you do not manage the OpenVPN server is irrelevant to my answer: the four lines to be added must be added to the client conf file, not the server conf file. – MariusMatutiae – 2015-07-06T17:51:59.100

D'oh, my bad. Will give that at try. Thanks! – alex-phillips – 2015-07-06T17:57:36.953

Answers

0

I presume that what you use OpenVPN for, then, is just to gain access to your home LAN. If this is indeed the case, there are several options to override the usual 

      push "redirect-gateway def1"

setting in the server.conf. You find them described on this OpenVPN Wiki page, the simplest one of them all is to add these four lines to your client config file:

     route 0.0.0.0 192.0.0.0 net_gateway
     route 64.0.0.0 192.0.0.0 net_gateway
     route 128.0.0.0 192.0.0.0 net_gateway
     route 192.0.0.0 192.0.0.0 net_gateway

The Wiki states explicitly:

Note that net_gateway is an internal variable to openvpn and does not need to be changed to anything

and, even more reassuringly, says that these four lines will work ...

If you do not know if your server uses def1 and do not want to check the logs to figure it out, just assume they DO use def1 and use the 4 routes. That will work no matter what.

MariusMatutiae

Posted 2015-07-06T17:10:11.057

Reputation: 41 321

Sorry, I should have mentioned that this isn't an OpenVPN server I manage. Unless there's a way in the client config to determine which traffic is routed, but there isn't much in my client config. – alex-phillips – 2015-07-06T17:45:03.157

It worked, I will flag the answer as correct. But could you give me any insight on how to send a specific port traffic or protocol through the VPN after that config has been changed? Would that be something for packet filtering? – alex-phillips – 2015-07-06T18:22:37.637

Unfortunately, this cannot be done in Unix. It can be done only in Linux, thanks to two funxtionalities (source routing and network namespaces) which have no analogue in Unix nor Windows kernels. Packet filtering is, for instance for sending all packets coming into a specific port to a given address, not to be routed through it. The best you can do is to setup a Virtual Machine which you can then route (or not) throught the VPN. You can then keep the host not routed through the OpenVPN, and the guest routed through the VPN (or viceversa), and start apps according to routing needs. – MariusMatutiae – 2015-07-06T19:04:42.763

Asked: 2015-07-06T17:10:11.057

Viewed: 217 times

Active: 2015-07-06T17:47:27.370