Difference between revisions of "OpenBSD VPN gateway using IPSec/IKEv2"
(→Introduction) |
(→Create VPN CA and client certificates) |
||
(29 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
+ | [[Category:OpenBSD]] | ||
+ | [[Category:VPN]] | ||
+ | [[Category:Networking]] | ||
+ | |||
== Introduction == | == Introduction == | ||
− | We'll implement a VPN gateway IPSec/IKEv2 because it's supported | + | We'll implement a VPN gateway IPSec/IKEv2 because it's natively supported both by clients (Linux/Windows/macOS) and the server (OpenBSD), no extra software required. |
== Prerequisites == | == Prerequisites == | ||
− | Make sure you have [[OpenBSD Post Install Steps|OpenBSD installed]]. All the command below run as root. | + | Make sure you have [[OpenBSD Post Install Steps|OpenBSD installed]]. All the command below run as root. We assume both IPv4 and IPv6 (for IPv6 see e.g. [[OpenBSD HE IPv6 tunnel]]). |
== Enabled IP forwarding == | == Enabled IP forwarding == | ||
echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf | echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf | ||
+ | echo 'net.inet6.ip6.forwarding=1' >> /etc/sysctl.conf | ||
+ | sysctl net.inet.ip.forwarding=1 | ||
+ | sysctl net.inet6.ip6.forwarding=1 | ||
== Create virtual network interface == | == Create virtual network interface == | ||
echo 'inet 172.24.24.1 255.255.255.0 172.24.24.255' > /etc/hostname.enc0 | echo 'inet 172.24.24.1 255.255.255.0 172.24.24.255' > /etc/hostname.enc0 | ||
+ | echo 'inet6 2001:470:8c78:a0::1 64' >> /etc/hostname.enc0 | ||
echo 'up' >> /etc/hostname.enc0 | echo 'up' >> /etc/hostname.enc0 | ||
== Configure unbound, so VPN clients can have DNS server == | == Configure unbound, so VPN clients can have DNS server == | ||
− | + | vi /var/unbound/etc/unbound.conf | |
+ | |||
+ | Use: | ||
+ | |||
server: | server: | ||
interface: 172.24.24.1 | interface: 172.24.24.1 | ||
+ | interface: 2001:470:8c78:a0::1 | ||
interface: 127.0.0.1 | interface: 127.0.0.1 | ||
interface: ::1 | interface: ::1 | ||
Line 28: | Line 40: | ||
access-control: 127.0.0.0/8 allow | access-control: 127.0.0.0/8 allow | ||
access-control: 172.24.24.1/24 allow | access-control: 172.24.24.1/24 allow | ||
+ | access-control: 2001:470:8c78::/48 allow | ||
access-control: ::1 allow | access-control: ::1 allow | ||
Line 43: | Line 56: | ||
control-use-cert: no | control-use-cert: no | ||
control-interface: /var/run/unbound.sock | control-interface: /var/run/unbound.sock | ||
− | + | ||
+ | Enable the service: | ||
+ | |||
rcctl enable unbound | rcctl enable unbound | ||
Line 72: | Line 87: | ||
== Configure iked == | == Configure iked == | ||
− | + | === Create the CA and the client certificates === | |
+ | |||
+ | ikectl ca VPN create | ||
+ | ikectl ca VPN install | ||
+ | ikectl ca VPN certificate swtch.mgk.ro create server | ||
+ | ikectl ca VPN certificate swtch.mgk.ro install | ||
+ | ikectl ca VPN certificate emerald.local create client | ||
+ | ikectl ca VPN certificate emerald.local install | ||
+ | |||
+ | ikectl ca VPN certificate emerald.local export | ||
+ | |||
+ | Move emerald.local.tgz to client machine. | ||
+ | |||
+ | === iked.conf === | ||
+ | |||
+ | We are using certificates (default). | ||
+ | |||
+ | vi /etc/iked.conf | ||
+ | |||
+ | Use: | ||
− | + | ikev2 "vpn" passive esp \ | |
− | ikev2 "vpn" passive | ||
from 0.0.0.0/0 to 0.0.0.0/0 \ | from 0.0.0.0/0 to 0.0.0.0/0 \ | ||
+ | from ::0/0 to ::0/0 \ | ||
local egress peer any \ | local egress peer any \ | ||
− | + | ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group modp2048 \ | |
+ | childsa enc aes-256 auth hmac-sha2-256 group modp2048 \ | ||
+ | srcid swtch.mgk.ro \ | ||
config address 172.24.24.0/24 \ | config address 172.24.24.0/24 \ | ||
+ | config address 2001:470:203a:a0::/64 \ | ||
config name-server 172.24.24.1 \ | config name-server 172.24.24.1 \ | ||
− | tag " | + | config name-server 2001:470:203a:a0::1 \ |
− | + | tag "$name-$id" | |
+ | |||
+ | Enable the service: | ||
+ | |||
chmod 0600 /etc/iked.conf | chmod 0600 /etc/iked.conf | ||
rcctl enable iked | rcctl enable iked | ||
+ | |||
+ | Make sure you set iked_flags in /etc/rc.conf.local: | ||
+ | |||
+ | rcctl set iked flags -6 | ||
+ | |||
+ | Otherwise you will not have IPv6 connectivity, even outside the VPN! | ||
== Restart networking == | == Restart networking == | ||
Line 94: | Line 140: | ||
rcctl start unbound | rcctl start unbound | ||
rcctl start iked | rcctl start iked | ||
+ | |||
+ | == Extra firewall == | ||
+ | |||
+ | If you have another firewall in front of your VPN gateway, you need to open UDP ports 500, 4500, and ESP (IP protocol 50). | ||
== Configure clients == | == Configure clients == | ||
Line 99: | Line 149: | ||
=== Apple === | === Apple === | ||
− | Use the hostname of the server for both "server address" and "remote ID". "Local ID" | + | You need [https://itunes.apple.com/us/app/apple-configurator-2/id1037126344?mt=12 Apple Configurator 2] to create a MDM profile. |
+ | |||
+ | Use the hostname of the server for both "server address" and "remote ID". "Local ID" should be the FQDN you used when creating the client certificate. Load the exported certificates (both the CA and the client certificate) in the MDM profile. | ||
+ | |||
+ | == References == | ||
+ | |||
+ | * [https://man.openbsd.org/iked.conf.5 iked.conf(5)] | ||
+ | * [https://man.openbsd.org/unbound.conf unbound.conf(5)] | ||
+ | * [https://man.openbsd.org/pf.conf pf.conf(5)] | ||
+ | * [https://man.openbsd.org/ikectl.8 ikectl(8)] | ||
+ | * [https://tools.ietf.org/html/rfc5996 RFC5996 | Internet Key Exchange Protocol Version 2 (IKEv2)] | ||
+ | * [https://tools.ietf.org/html/rfc2401 RFC2401 | Security Architecture for the Internet Protocol] | ||
+ | * [https://www.going-flying.com/blog/protecting-my-macos-and-ios-devices-with-an-openbsd-vpn.html Protecting my macOS and iOS devices with an OpenBSD VPN] |
Latest revision as of 16:07, 10 May 2019
Contents
Introduction
We'll implement a VPN gateway IPSec/IKEv2 because it's natively supported both by clients (Linux/Windows/macOS) and the server (OpenBSD), no extra software required.
Prerequisites
Make sure you have OpenBSD installed. All the command below run as root. We assume both IPv4 and IPv6 (for IPv6 see e.g. OpenBSD HE IPv6 tunnel).
Enabled IP forwarding
echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf echo 'net.inet6.ip6.forwarding=1' >> /etc/sysctl.conf sysctl net.inet.ip.forwarding=1 sysctl net.inet6.ip6.forwarding=1
Create virtual network interface
echo 'inet 172.24.24.1 255.255.255.0 172.24.24.255' > /etc/hostname.enc0 echo 'inet6 2001:470:8c78:a0::1 64' >> /etc/hostname.enc0 echo 'up' >> /etc/hostname.enc0
Configure unbound, so VPN clients can have DNS server
vi /var/unbound/etc/unbound.conf
Use:
server: interface: 172.24.24.1 interface: 2001:470:8c78:a0::1 interface: 127.0.0.1 interface: ::1 access-control: 0.0.0.0/0 refuse access-control: ::0/0 refuse access-control: 127.0.0.0/8 allow access-control: 172.24.24.1/24 allow access-control: 2001:470:8c78::/48 allow access-control: ::1 allow do-not-query-localhost: no hide-identity: yes hide-version: yes forward-zone: name: "." forward-addr: 74.82.42.42 # he.net forward-addr: 2001:470:20::2 # he.net v6 remote-control: control-enable: yes control-use-cert: no control-interface: /var/run/unbound.sock
Enable the service:
rcctl enable unbound
Configure the firewall
The firewall should do some sort of NAT. I'm not sure if the config below does more than it needs to, but it seems to work.
cat <<EOF >/etc/pf.conf set skip on lo block return # block stateless traffic pass # establish keep-state # NAT match in all scrub (no-df random-id max-mss 1440) match out on egress inet from !(egress:network) to any nat-to (egress:0) pass quick proto udp from any to self port {isakmp, ipsec-nat-t} keep state pass on enc0 from any to self keep state (if-bound) # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 # Port build user does not need network block return out log proto {tcp udp} user _pbuild EOF pfctl -f /etc/pf.conf
Configure iked
Create the CA and the client certificates
ikectl ca VPN create ikectl ca VPN install ikectl ca VPN certificate swtch.mgk.ro create server ikectl ca VPN certificate swtch.mgk.ro install ikectl ca VPN certificate emerald.local create client ikectl ca VPN certificate emerald.local install ikectl ca VPN certificate emerald.local export
Move emerald.local.tgz to client machine.
iked.conf
We are using certificates (default).
vi /etc/iked.conf
Use:
ikev2 "vpn" passive esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ from ::0/0 to ::0/0 \ local egress peer any \ ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group modp2048 \ childsa enc aes-256 auth hmac-sha2-256 group modp2048 \ srcid swtch.mgk.ro \ config address 172.24.24.0/24 \ config address 2001:470:203a:a0::/64 \ config name-server 172.24.24.1 \ config name-server 2001:470:203a:a0::1 \ tag "$name-$id"
Enable the service:
chmod 0600 /etc/iked.conf rcctl enable iked
Make sure you set iked_flags in /etc/rc.conf.local:
rcctl set iked flags -6
Otherwise you will not have IPv6 connectivity, even outside the VPN!
Restart networking
sh /etc/netstart
Start the daemons
rcctl start unbound rcctl start iked
Extra firewall
If you have another firewall in front of your VPN gateway, you need to open UDP ports 500, 4500, and ESP (IP protocol 50).
Configure clients
Apple
You need Apple Configurator 2 to create a MDM profile.
Use the hostname of the server for both "server address" and "remote ID". "Local ID" should be the FQDN you used when creating the client certificate. Load the exported certificates (both the CA and the client certificate) in the MDM profile.