Difference between revisions of "OpenBSD VPN gateway using IPSec/IKEv2"
(→Configure iked) |
|||
Line 111: | Line 111: | ||
Use the hostname of the server for both "server address" and "remote ID". "Local ID" can be blank. Use authentication setting "none", and fill the "shared secret". | Use the hostname of the server for both "server address" and "remote ID". "Local ID" can be blank. Use authentication setting "none", and fill the "shared secret". | ||
+ | |||
+ | == References == | ||
+ | |||
+ | * [https://man.openbsd.org/iked.conf.5 iked.conf(5)] | ||
+ | * [https://man.openbsd.org/unbound.conf unbound.conf(5)] | ||
+ | * [https://man.openbsd.org/pf.conf pf.conf(5)] | ||
+ | * [https://tools.ietf.org/html/rfc5996 RFC5996 | Internet Key Exchange Protocol Version 2 (IKEv2)] | ||
+ | * [https://tools.ietf.org/html/rfc2401 RFC2401 | Security Architecture for the Internet Protocol] |
Revision as of 20:34, 5 February 2019
Contents
Introduction
We'll implement a VPN gateway IPSec/IKEv2 because it's natively supported both by clients (Linux/Windows/macOS) and the server (OpenBSD), no extra software required.
Prerequisites
Make sure you have OpenBSD installed. All the command below run as root.
Enabled IP forwarding
echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf sysctl net.inet.ip.forwarding=1
Create virtual network interface
echo 'inet 172.24.24.1 255.255.255.0 172.24.24.255' > /etc/hostname.enc0 echo 'up' >> /etc/hostname.enc0
Configure unbound, so VPN clients can have DNS server
vi /var/unbound/etc/unbound.conf
Use:
server: interface: 172.24.24.1 interface: 127.0.0.1 interface: ::1 access-control: 0.0.0.0/0 refuse access-control: ::0/0 refuse access-control: 127.0.0.0/8 allow access-control: 172.24.24.1/24 allow access-control: ::1 allow do-not-query-localhost: no hide-identity: yes hide-version: yes forward-zone: name: "." forward-addr: 74.82.42.42 # he.net forward-addr: 2001:470:20::2 # he.net v6 remote-control: control-enable: yes control-use-cert: no control-interface: /var/run/unbound.sock
Enable the service:
rcctl enable unbound
Configure the firewall
The firewall should do some sort of NAT. I'm not sure if the config below does more than it needs to, but it seems to work.
cat <<EOF >/etc/pf.conf set skip on lo block return # block stateless traffic pass # establish keep-state # NAT match in all scrub (no-df random-id max-mss 1440) match out on egress inet from !(egress:network) to any nat-to (egress:0) pass quick proto udp from any to self port {isakmp, ipsec-nat-t} keep state pass on enc0 from any to self keep state (if-bound) # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 # Port build user does not need network block return out log proto {tcp udp} user _pbuild EOF pfctl -f /etc/pf.conf
Configure iked
So far we are using pre shared keys.
vi /etc/iked.conf
Use:
ikev2 "vpn" passive ipcomp esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ local egress peer any \ psk "XXXXXXXXXXX" \ config address 172.24.24.0/24 \ config name-server 172.24.24.1 \ tag "vpn" tap enc0
Enable the service:
chmod 0600 /etc/iked.conf rcctl enable iked
Restart networking
sh /etc/netstart
Start the daemons
rcctl start unbound rcctl start iked
Configure clients
Apple
Use the hostname of the server for both "server address" and "remote ID". "Local ID" can be blank. Use authentication setting "none", and fill the "shared secret".