Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
75 lines (63 sloc) 3.47 KB
# "Being your own VPN provider with OpenBSD"
# Guillaume Kaddouch: http://networkfilter.blogspot.com/
# ruleset last modified: 2017 April 30 for OpenBSD 6.1
# VARIABLES, MACRO, AND TABLES
# ---------------------------------------------------------------------------------------
vpn="tun0"
vpn_ip="10.8.0.1"
all_networks="0.0.0.0/0"
private_networks="10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16"
ssh_port="21598" # just a random example, modify to match your chosen SSH port
vpn_port="21599" # just a random example, modify to match your chosen OpenVPN port
bad_ports="{ 1:66, 69:21597, 21600:65535 }" # adjust according to your SSH and VPN ports (+ DHCP)
table <internet> const { $all_networks, !self, !$private_networks }
table <myself> const { self }
table <bruteforce> persist
table <badguys> persist
# GLOBAL POLICY
# ---------------------------------------------------------------------------------------
set block-policy drop
set loginterface egress
set skip on {lo, enc0}
block log all
match in all scrub (no-df max-mss 1440 random-id)
block in log quick from <bruteforce> label "bruteforce"
block in log quick from <badguys> label "old_guys"
# DEFAULT TRAFFIC TAGGING
# --------------------------------------------------------------------------------
match in on egress proto tcp from <internet> to port $ssh_port tag SSH_IN
match in on egress proto { udp tcp } from <internet> to port $bad_ports tag BAD_GUYS
match in on egress proto udp to port $vpn_port tag VPN_EGRESS_IN
match in on $vpn proto { icmp udp tcp } tag VPN_TUN_IN
match in on $vpn proto { udp tcp } to $vpn_ip port domain tag VPN_DNS_IN
match out on egress tagged VPN_TUN_IN tag VPN_FORWARD
match out on egress proto tcp from <myself> to port { http https } tag HTTP_OUT
match out on egress proto { udp tcp } from <myself> to port domain tag DNS_OUT
match out on egress proto udp from <myself> to port https tag DNS_OUT
match out on egress proto udp from <myself> to port ntp tag NTP_OUT
match in on egress from { no-route urpf-failed } to any tag BAD_PACKET
match out on egress from any to no-route tag BAD_PACKET
match inet6 all tag IPV6
# POLICY ENFORCEMENT
# ---------------------------------------------------------------------------------------
match in tagged VPN_EGRESS_IN set tos lowdelay set prio 6
match out tagged VPN_FORWARD nat-to (egress) set prio 6
# Blocking spoofed or malformed packets, IPv6, and some bad traffic
antispoof log quick for egress label "antispoof"
block quick log tagged BAD_PACKET label "noroute_urpf"
block quick log tagged IPV6 label "ipv6"
block quick log tagged BAD_GUYS label "new_guy"
# Standard rules
pass in quick tagged SSH_IN synproxy state \
(max-src-conn 10, max-src-conn-rate 5/5, overload <bruteforce> flush global)
pass in quick tagged VPN_EGRESS_IN
pass in quick tagged VPN_TUN_IN
pass in quick inet tagged VPN_DNS_IN rdr-to 127.0.0.1 port domain
pass out quick tagged HTTP_OUT
pass out quick tagged DNS_OUT
pass out quick tagged VPN_FORWARD modulate state
pass out quick tagged NTP_OUT
#pass out quick
# no log for
block in quick proto udp from 0.0.0.0 port 68 to port 67
block in quick proto udp from 169.254.169.254 port 67 to 255.255.255.255 port 68