2

I wish to have all internet traffic to go through my VPN; when my VPN is disconnected, all internet traffic can not go out of my workstation/desktop (not server).

I wish to switch VPN servers of one location to another at random.

Here's my pf rules. I would appreciate if you can help me add more IP addresses of remote VPN servers:

wan="em0"
vpn="tun0"
block all
block in log all
set block-policy drop
set skip on lo
antispoof for $wan inet
block in from urpf-failed to any
block inet proto icmp icmp-type echoreq
block out inet6 all
block in inet6 all
pass out on $wan proto tcp from any to a.b.c.d port 443 modulate state
pass out on $vpn proto tcp from any to any port 80 modulate state
pass out on $vpn proto tcp from any to any port 443 modulate state
pass out on $vpn proto udp from any to any port 53 modulate state

where a.b.c.d is the IP address of the remote VPN server.

jasonwryan
  • 71,734
  • 34
  • 193
  • 226
user.stackexchange.253690
  • 95
  • 7

2 Answers2

1

Use tables. See man pf.conf for a detailed explanation and take a look at this answer for an example.

Community
  • 1
Zé Loff
  • 1,627
  • 8
  • 20
0

Use -T add to add one or more addresses in a table and automatically create a non-existing table. So you have to do a command like this.

sudo pfctl -t badguys -T add 185.130.5.160

If you don't have such a table already, it will be created.

1 table created. 1/1 addresses added.

Now if you look in badguys, you will see the new IP.

sudo pfctl -t badguys -T show

Now restart pf.

sudo pfctl -vnf /etc/pf.conf
G-Man Says 'Reinstate Monica'
  • 22,130
  • 27
  • 68
  • 117
user160328
  • 41
  • 2