Title : OpenVPN as the default gateway on OpenBSD Author: Solène Date : 27 October 2020 Tags : openbsd68 openbsd openvpn If you plan to use an OpenVPN tunnel to reach your default gateway, which would make the tun interface in the `egress` group, and use `tun0` in your `pf.conf` which is loaded before OpenVPN starts? Here are the few tips I use to solve the problems. ## Remove your current default gateway We don't want a default gateway on the system. You need to know the remote address of the VPN server. If you have a `/etc/mygate` file, remove it. The `/etc/hostname.if` file (with if being your interface name, like em0 for example), should look like this: 192.168.1.200 up !route add -host A.B.C.D 192.168.1.254 + First line is the IP on my lan + Second line is to make the interface up. + Third line is means you want to reach `A.B.C.D` via `192.168.1.254`, with the IP `A.B.C.D` being the remote VPN server. ## Create the tun0 interface at boot Create a `/etc/hostname.tun0` file with only `up` as content, that will create `tun0` at boot and make it available to `pf.conf` and you prevent it from loading the configuration. You may think one could use "egress" instead of the interface name, but this is not allowed in queuing. ## Don't let OpenVPN manage the route Don't use `redirect-gateway def1 bypass-dhcp` from the OpenVPN configuration, this will create a route which is not `default` and so the tun0 interface won't be in the egress group, which is not something we want. Add those two lines in your configuration file, to execute a script once the tunnel is established, in which we will make the default route. script-security 2 up /etc/openvpn/script_up.sh In `/etc/openvpn/script_up.sh` you simply have to write #!/bin/sh /sbin/route add -net default X.Y.Z.A If you have IPv6 connectivity, you have to add this line: /sbin/route add -inet6 2000::/3 fe80::%tun0 (not sure it's 100% correct for IPv6 but it works fine for me! If it's wrong, please tell me how to make it better).