On 2019-11-18, Dale C. <[email protected]> wrote: > "Since all traffic goes through the VPN, including traffic targeted at > localhost, it might be necessary to exclude this traffic from the > flows to ensure connections to services running locally (such as a > local resolver) reach the right target. This can be achieved by adding > a single line to /etc/ipsec.conf on the initiator: flow from > 127.0.0.1/32 to 127.0.0.1/32 type bypass" > > ^ I'm confused by this, i excluded this ipsec bypass and the rdr-to > rule in the responder pf conf.
On OpenBSD (and many other systems) IPsec works with "flows" which, for want of a better word, "steal" traffic so that it doesn't follow the routing table but instead matching traffic is diverted over the VPN. (This is the traditional way of handling IPsec; some systems also do "route based" IPsec which is a bit more straightforward for people who understand IP routing but that's not possible with OpenBSD without an additional tunnel interface). > I would've expected that to work with > DNS targeting localhost? I'm also not clear how `match out log on enc0 > inet all nat-to 10.0.5.2' behaves, is it akin to a "quick" directive? > Packets do not evaluate further rules because there are no more inet > packets after this? Does the position of this line in my initiator > pf.conf seem reasonable? I think perhaps it should go up... NAT rules take place *after* traffic has been selected by flows. (This is why there's a special "srcnat" config in iked.conf/ipsec.conf to handle this). For this simple case with 0.0.0.0/0 I don't think you'll need to touch that, just the "flow from 127.0.0.1/32 to 127.0.0.1/32 type bypass" in ipsec.conf should do the trick. (Yes, ipsec.conf, even though you're using iked! iked doesn't have a way to handle setting up bypass flows itself other than the built-in very annoying "block IPv6 by default" mode that is enabled by default, so you need to defer to ipsec.conf + ipsecctl for this). > I tried a config name-server directive on the initiator iked.conf, but "config name-server" is something that would go on the responder side, but it's pointless if the only clients are iked. > I should be able to > `ikectl couple/decouple' and just have it work right, so I'm looking > for a way to configure name-server in the iked.conf initiator ideally? I'd go for a local unbound or local unwind instance, listening for queries on localhost, configured to use a forwarder as appropriate, plus the bypass rule suggested in faq17.
