ckxng/myconfig.ovpn

## myconfig.ovpn
client
dev tun
proto udp
remote vpn-server.vpn-provider.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /usr/local/etc/openvpn/my-ca.crt
tls-client
remote-cert-tls server
auth-user-pass /usr/local/etc/openvpn/my-login.conf
comp-lzo
verb 1
reneg-sec 0
crl-verify /usr/local/etc/openvpn/my-crl.pem
up /usr/local/etc/openvpn/pf-reload.sh
up-restart 1
script-security 2
daemon

## pf-reload.sh
#!/bin/sh
exec /sbin/pfctl -f /etc/pf.conf

## pf.conf
IF_PUB="igb0"
IP_PUB="111.222.33.44"
IP_PUB_BAK="111.222.55.66"
NET_JAIL="127.0.1.0/24"

IF_VPN="tun0"
NET_VPNJAIL="127.0.2.0/24"

scrub in all
nat pass on $IF_PUB from $NET_JAIL     to any -> $IF_PUB
nat pass on $IF_VPN from $NET_VPNJAIL  to any -> $IF_VPN

# jail1
rdr pass on $IF_PUB proto tcp from any to $IP_PUB     port {2201} -> 127.0.1.1
rdr pass on $IF_PUB proto tcp from any to $IP_PUB_BAK port {2201} -> 127.0.1.1

# jail2
rdr pass on $IF_PUB proto tcp from any to $IP_PUB     port {2202} -> 127.0.1.2
rdr pass on $IF_PUB proto tcp from any to $IP_PUB_BAK port {2202} -> 127.0.1.2

# vpnjail1
rdr pass on $IF_PUB proto tcp from any to $IP_PUB     port {2211} -> 127.0.2.1
rdr pass on $IF_PUB proto tcp from any to $IP_PUB_BAK port {2211} -> 127.0.2.1

pass in from $NET_JAIL to any rtable 0
pass in from $NET_VPNJAIL to any rtable 1

## rc.conf
# network interfaces and fib 0
ifconfig_igb0="inet 111.222.33.44 netmask 255.255.255.0 broadcast 111.222.33.255"
defaultrouter="111.222.33.254"
ifconfig_igb0_ipv6="inet6 2500:1111:2222:3333:: prefixlen 64 accept_rtadv"
ipv6_network_interfaces="igb0"
ipv6_default_interface="igb0"
ipv6_defaultrouter="2500:1111:2222:3333:ff:ff:ff:ff"

# openvpn on fib 1
openvpn_enable="NO" #started from rc.local
static_routes="vpn"
route_vpn="default 111.222.33.254 -fib 1"

# jails and nat
pf_enable="YES"
cloned_interfaces="lo1"
ipv4_addrs_lo1="127.0.1.1-19 127.0.2.1-19"

## rc.local
#!/bin/sh
setfib -F1 /usr/local/sbin/openvpn /usr/local/etc/openvpn/myconfig.ovpn
	client
	dev tun
	proto udp
	remote vpn-server.vpn-provider.com 1194
	resolv-retry infinite
	nobind
	persist-key
	persist-tun
	ca /usr/local/etc/openvpn/my-ca.crt
	tls-client
	remote-cert-tls server
	auth-user-pass /usr/local/etc/openvpn/my-login.conf
	comp-lzo
	verb 1
	reneg-sec 0
	crl-verify /usr/local/etc/openvpn/my-crl.pem
	up /usr/local/etc/openvpn/pf-reload.sh
	up-restart 1
	script-security 2
	daemon
	IF_PUB="igb0"
	IP_PUB="111.222.33.44"
	IP_PUB_BAK="111.222.55.66"
	NET_JAIL="127.0.1.0/24"

	IF_VPN="tun0"
	NET_VPNJAIL="127.0.2.0/24"

	scrub in all
	nat pass on $IF_PUB from $NET_JAIL to any -> $IF_PUB
	nat pass on $IF_VPN from $NET_VPNJAIL to any -> $IF_VPN

	# jail1
	rdr pass on $IF_PUB proto tcp from any to $IP_PUB port {2201} -> 127.0.1.1
	rdr pass on $IF_PUB proto tcp from any to $IP_PUB_BAK port {2201} -> 127.0.1.1

	# jail2
	rdr pass on $IF_PUB proto tcp from any to $IP_PUB port {2202} -> 127.0.1.2
	rdr pass on $IF_PUB proto tcp from any to $IP_PUB_BAK port {2202} -> 127.0.1.2

	# vpnjail1
	rdr pass on $IF_PUB proto tcp from any to $IP_PUB port {2211} -> 127.0.2.1
	rdr pass on $IF_PUB proto tcp from any to $IP_PUB_BAK port {2211} -> 127.0.2.1

	pass in from $NET_JAIL to any rtable 0
	pass in from $NET_VPNJAIL to any rtable 1
	# network interfaces and fib 0
	ifconfig_igb0="inet 111.222.33.44 netmask 255.255.255.0 broadcast 111.222.33.255"
	defaultrouter="111.222.33.254"
	ifconfig_igb0_ipv6="inet6 2500:1111:2222:3333:: prefixlen 64 accept_rtadv"
	ipv6_network_interfaces="igb0"
	ipv6_default_interface="igb0"
	ipv6_defaultrouter="2500:1111:2222:3333:ff:ff:ff:ff"

	# openvpn on fib 1
	openvpn_enable="NO" #started from rc.local
	static_routes="vpn"
	route_vpn="default 111.222.33.254 -fib 1"

	# jails and nat
	pf_enable="YES"
	cloned_interfaces="lo1"
	ipv4_addrs_lo1="127.0.1.1-19 127.0.2.1-19"
	#!/bin/sh
	setfib -F1 /usr/local/sbin/openvpn /usr/local/etc/openvpn/myconfig.ovpn