VPNs: The enc Interface

Once you've set up IPSec, you can do your filtering on the enc interfaces:

pass on enc0 from $allowedsource to $sechosts port $allowedin
pass on enc0 from $myhosts to $remotedest port $remoteports

OpenBSD 4.8 News Flash: enc is now cloneable, you can have more than one