openbsd npppd pppx0 VPN Client can access wan but cannot access lan

Question

I'm, running OpenBSD 5.8, npppd, mpath and have tried the same on 5.7 and 5.3. npppd is works fine and clients can connect using windows pptp client. Client have the pptp connection set as default gateway and can access the internet trough the vpn gateway but cannot access the LAN network traffic arrives on the pppx0 interface but never get forwarded to the LAN ip address. I have been looking and trying for over 2 weeks now and can't figure that one out. setting everything to pass in pf.conf and only enabling nat - still no result.

Setup: OpenBSD 5.8 with npppd using pppx0 or tun0 and pf 2 WAN interfaces equal cost routing (net.inet.ip.multipath=1), 1 LAN interface

sysctl.conf

net.inet.ip.forwarding=1
net.inet.ip.multipath=1
net.inet.gre.allow=1
net.pipex.enable=1

npptp.conf:

set max-session 20
set user-max-session 5
authentication LOCAL type local {
    users-file "/etc/npppd/npppd-users"
}
tunnel VPN protocol pptp {
    listen on 0.0.0.0
}
ipcp IPCP {
    pool-address 10.219.219.2-10.219.219.100
    dns-servers 192.168.0.189 192.168.0.19
    nbns-servers 192.168.0.189 192.168.0.19
}
interface pppx0 address 10.219.219.1 ipcp IPCP 
bind tunnel from VPN authenticated by LOCAL to pppx0

pf.conf

### NAT
    match out log on $ext1_if from $int_net nat-to ($ext1_if)
    match out log on $ext2_if from $int_net nat-to ($ext2_if)

  ## vpn
    pass quick log on pppx
    match out log on $ext1_if from $vpn_net nat-to ($ext1_if)
    match out log on $ext2_if from $vpn_net nat-to ($ext2_if)
    match out log on $int_if from $vpn_net nat-to ($int_if)

### FILTER RULES
    block log quick inet6
    block in log on $ext1_if
    block in log on $ext2_if

  ## allow ping, traceroute and echo
    pass in log inet proto icmp all icmp-type $icmp_types

  ## pass connections to vpn server
    pass log proto { gre } from any to any keep state
    pass in log on $ext1_if proto tcp from any to $ext1_if port 1723
    pass in log on $ext2_if proto tcp from any to $ext2_if port 1723
    pass in  on enc0 from $vpn_net to $int_net keep state (if-bound)
    pass out on enc0 from $int_net to $vpn_net keep state (if-bound)
    pass in  on pppx from $vpn_net to $int_net keep state (if-bound)
    pass out on pppx from $int_net to $vpn_net keep state (if-bound)

netstat -rn Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            a.a.a.113          UGSP       0  1073494     -     8 em0
default            b.b.b.97           UGSP       4    10294     -     8 em1
10.219.219.1       10.219.219.1       UHl        0        0     -     1 lo0
10.219.219.14      10.219.219.1       UH         0      679     -     8 pppx0
127/8              127.0.0.1          UGRS       0        0 32768     8 lo0
127.0.0.1          127.0.0.1          UHl        1        4 32768     1 lo0
b.b.b.96/28        b.b.b.110          UC         1        0     -     8 em1
b.b.b.97           bc:16:65:34:33:81  UHLc       1        0     -     8 em1
b.b.b.110          00:15:17:48:7b:23  HLl        0        0     -     1 lo0
b.b.b.111          b.b.b.110      UHb        0        0     -     1 em1
192.168.0/22       192.168.0.238      UC         9        0     -     8 em3
192.168.0.4        00:25:90:7c:40:cf  UHLc       0        4     -     8 em3
192.168.0.5        00:30:48:7d:7c:64  UHLc       0        1     -     8 em3
192.168.0.6        00:25:90:3c:30:67  UHLc       0        2     -     8 em3
192.168.0.10       f4:6d:04:29:ea:f7  UHLc       0        4     -     8 em3
192.168.0.19       00:25:90:72:89:1a  UHLc       0     8388     -     8 em3
192.168.0.189      00:30:48:d8:f0:0b  UHLc       0     9661     -     8 em3
192.168.0.238      00:25:90:d0:17:10  HLl        0        0     -     1 lo0
192.168.0.253      00:25:90:af:5d:0a  UHLc       0      154     -     8 em3
192.168.2.167      50:e5:49:e6:c3:3c  UHLc       0     2048     -     8 em3
192.168.3.202      00:25:90:af:5d:0a  UHLc       1     9329     - L   8 em3
192.168.3.255      192.168.0.238      UHb        0        0     -     1 em3
a.a.a.112/28       a.a.a.126          UC         2        0     -     8 em0
a.a.a.113          00:00:5e:00:01:0c  UHLc       1        0     -     8 em0
a.a.a.116          00:25:90:af:5d:0b  UHLc       2    34417     - L   8 em0
a.a.a.126          00:15:17:48:7b:22  HLl        0        0     -     1 lo0
a.a.a.127          a.a.a.126          UHb        0        0     -     1 em0
224/4              127.0.0.1          URS        0        0 32768     8 lo0

Answer 1

I'm used to pf on FreeBSD, it looks like that pf or kernel on OpenBSD sets a "block all" on any interface which have no roles defined in the pf.conf with using skip or pass rules, which is a good thing because this closes unintended security holes.

The machine is gateway to the internet and serves as VPN server and is load balancing 2 leased lines. Another gotcha I found is the rule well mentioned on every tutorial on the net for NPPPD.

pass log proto { gre } from any to any keep state

I changed Change this to the below to make sure that any nat'ed outgoing connections are not interfered with.

pass log inet proto gre from any to $ext1_if modulate state

This rule is not needed and does nothing but prevent clients on the local network accessing vpn server on the internet trough the OpenBSD firewall. GRE is negotiated between client and the vpn server software on the server and will be passes anyway. Only port 1723 needs to opened for incoming connections and that only on the external interface ($ext_if)

Below is the relevant pf.conf for openbsd/NPPTP

### NAT
  ## int net
    match out log on $ext1_if from $int_net nat-to ($ext1_if) static-port
    match out log on $ext2_if from $int_net nat-to ($ext2_if) static-port

  ## vpn
    match out log on $ext1_if from $vpn_net nat-to ($ext1_if) static-port
    match out log on $ext2_if from $vpn_net nat-to ($ext2_if) static-port
    match out log on $int_if from $vpn_net nat-to ($int_if) static-port

### FILTER RULES
    block drop quick inet6
    block log all
    pass out log

  ## allow ping, traceroute and echo
    pass in log inet proto icmp all icmp-type $icmp_types

  ## internal network
    pass in log on $int_if

  ## pass connections to vpn server
    pass in log on pppx
    pass log inet proto gre from any to $ext1_if modulate state
    pass log inet proto gre from any to $ext2_if modulate state
    pass out log inet proto gre from any to any modulate state
    pass in log on $ext1_if proto tcp from any to $ext1_if port 1723
    pass in log on $ext2_if proto tcp from any to $ext2_if port 1723