Title: OpenVPN as the default gateway on OpenBSD
Author: Solène
Date: 27 October 2020
Tags: openbsd openvpn
Description:
If you plan to use an OpenVPN tunnel to reach your default gateway,
which would make the tun interface in the `egress` group, and use
`tun0` in your `pf.conf` which is loaded before OpenVPN starts?
Here are the few tips I use to solve the problems.
## Remove your current default gateway
We don't want a default gateway on the system. You need to know
the remote address of the VPN server.
If you have a `/etc/mygate` file, remove it.
The `/etc/hostname.if` file (with if being your interface name,
like em0 for example), should look like this:
192.168.1.200
up
!route add -host A.B.C.D 192.168.1.254
+ First line is the IP on my lan
+ Second line is to make the interface up.
+ Third line is means you want to reach `A.B.C.D` via `192.168.1.254`,
with the IP `A.B.C.D` being the remote VPN server.
## Create the tun0 interface at boot
Create a `/etc/hostname.tun0` file with only `up` as content,
that will create `tun0` at boot and make it available to `pf.conf`
and you prevent it from loading the configuration.
You may think one could use "egress" instead of the interface name,
but this is not allowed in queuing.
## Don't let OpenVPN manage the route
Don't use `redirect-gateway def1 bypass-dhcp` from the OpenVPN
configuration, this will create a route which is not `default` and
so the tun0 interface won't be in the egress group, which is not
something we want.
Add those two lines in your configuration file, to execute
a script once the tunnel is established, in which we will make
the default route.
script-security 2
up /etc/openvpn/script_up.sh
In `/etc/openvpn/script_up.sh` you simply have to write
#!/bin/sh
/sbin/route add -net default X.Y.Z.A
If you have IPv6 connectivity, you have to add this line:
/sbin/route add -inet6 2000::/3 fe80::%tun0
(not sure it's 100% correct for IPv6 but it works fine for me! If
it's wrong, please tell me how to make it better).