If you plan to use an OpenVPN tunnel to reach your default gateway,
which would make the tun interface in the
egress group, and use
tun0 in your
pf.conf which is loaded before OpenVPN starts?
Here are the few tips I use to solve the problems.
Remove your current default gateway
We don’t want a default gateway on the system. You need to know the remote address of the VPN server.
If you have a
/etc/mygate file, remove it.
/etc/hostname.if file (with if being your interface name,
like em0 for example), should look like this:
192.168.1.200 up !route add -host A.B.C.D 192.168.1.254
- First line is the IP on my lan
- Second line is to make the interface up.
- Third line is to tell I want to reach
A.B.C.Dbeing the remote VPN server.
Create the tun0 interface at boot
/etc/hostname.tun0 file with only
up as content,
that will create
tun0 at boot and make it available to
and you prevent it from loading the configuration.
You may think one could use “egress” instead of the interface name, but this is not allowed in queuing.
Don’t let OpenVPN manage the route
redirect-gateway def1 bypass-dhcp from the OpenVPN
configuration, this will create a route which is not
so the tun0 interface won’t be in the egress group, which is not
something we want.
Add those two lines in your configuration file, to execute a script once the tunnel is established, in which we will make the default route.
script-security 2 up /etc/openvpn/script_up.sh
/etc/openvpn/script_up.sh you simply have to write
#!/bin/sh /sbin/route add -net default X.Y.Z.A
If you have IPv6 connectivity, you have to add this line:
/sbin/route add -inet6 2000::/3 fe80::%tun0
(not sure it’s 100% correct for IPv6 but it works fine for me! If it’s wrong, please tell me how to make it better).