Title : OpenVPN as the default gateway on OpenBSD
Author: Solène
Date  : 27 October 2020
Tags  : openbsd68 openbsd openvpn

If you plan to use an OpenVPN tunnel to reach your default gateway,
which would make the tun interface in the `egress` group, and use
`tun0` in your `pf.conf` which is loaded before OpenVPN starts?

Here are the few tips I use to solve the problems.

## Remove your current default gateway

We don't want a default gateway on the system.  You need to know
the remote address of the VPN server.

If you have a `/etc/mygate` file, remove it.

The `/etc/hostname.if` file (with if being your interface name,
like em0 for example), should look like this:
    !route add -host A.B.C.D

+ First line is the IP on my lan
+ Second line is to make the interface up.
+ Third line is means you want to reach `A.B.C.D` via ``,
  with the IP `A.B.C.D` being the remote VPN server.

## Create the tun0 interface at boot

Create a `/etc/hostname.tun0` file with only `up` as content,
that will create `tun0` at boot and make it available to `pf.conf`
and you prevent it from loading the configuration.

You may think one could use "egress" instead of the interface name,
but this is not allowed in queuing.

## Don't let OpenVPN manage the route

Don't use `redirect-gateway def1 bypass-dhcp` from the OpenVPN
configuration, this will create a route which is not `default` and
so the tun0 interface won't be in the egress group, which is not
something we want.

Add those two lines in your configuration file, to execute
a script once the tunnel is established, in which we will make
the default route.

    script-security 2
    up /etc/openvpn/script_up.sh

In `/etc/openvpn/script_up.sh` you simply have to write

    /sbin/route add -net default X.Y.Z.A

If you have IPv6 connectivity, you have to add this line:

    /sbin/route add -inet6 2000::/3 fe80::%tun0

(not sure it's 100% correct for IPv6 but it works fine for me! If
it's wrong, please tell me how to make it better).