jungle-boogie
commented
5 years ago By the way, I heard about your project here: https://lobste.rs/s/8mbbj5/dead_simple_vpn
Closed jungle-boogie closed 5 years ago
jungle-boogie
commented
5 years ago By the way, I heard about your project here: https://lobste.rs/s/8mbbj5/dead_simple_vpn
jedisct1
commented
5 years ago Hi!
Better support for OpenBSD was added. The interface can now be found automatically, and IP addresses are assigned to the tunnel in server mode.
The only issue is for installing the NAT rules. Unless I missed something, pf doesn't allow adding new rules to an existing rule set. An entire pf.conf file must be loaded. And completely overwriting people's firewall rules is not great.
An alternative is to use anchors, but anchors also need to have been predefined in pf.conf before application can use them.
So, OpenBSD can now be used as a server, but for NAT, a rule must explicitly be added to pf.conf:
pass out from 192.168.192.0/24 nat-to egress(or whatever subnet is being used for the tunnel)
jedisct1
commented
5 years ago Actually, the client IP should be enough
pass out from 192.168.192.1 nat-to egressThe command is now printed by the server. Not ideal, not zero-config, but hopefully still acceptable.
jungle-boogie
commented
5 years ago Thank you! I think printing to the terminal is a good idea.
Hello @jedisct1,
Thanks for spending your weekend writing
dsvpn. No doubt that your efforts will help many people with their VPN needs.I'm really happy to see that your README mentions using
dsvpnon OpenBSD - my preferred operating system. It was a big surprise to say the least.I was wondering if you would consider writing code for
dsvpnto run on OpenBSD as a server. Everybody knows about WireGuard and its userspace implementation using golang, but that won't work on arm64 devices, like the nanopi, pine64, raspberry pi - at least on OpenBSD. Yes, there isikedin base but that is UDP, which is why you wrotedsvpnin the first place.Thanks for any consideration!
Best, j.b.