Difference between revisions of "OpenBSD VPN gateway using IPSec/IKEv2"

From Aram's Wiki
Jump to: navigation, search
(Create VPN CA and client certificates)
 
(8 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
[[Category:OpenBSD]]
 
[[Category:OpenBSD]]
 
[[Category:VPN]]
 
[[Category:VPN]]
 +
[[Category:Networking]]
  
 
== Introduction ==
 
== Introduction ==
Line 86: Line 87:
 
== Configure iked ==  
 
== Configure iked ==  
  
So far we are using pre shared keys.
+
=== Create the CA and the client certificates ===
 +
 
 +
ikectl ca VPN create
 +
ikectl ca VPN install
 +
ikectl ca VPN certificate swtch.mgk.ro create server
 +
ikectl ca VPN certificate swtch.mgk.ro install
 +
ikectl ca VPN certificate emerald.local create client
 +
ikectl ca VPN certificate emerald.local install
 +
 +
ikectl ca VPN certificate emerald.local export
 +
 
 +
Move emerald.local.tgz to client machine.
 +
 
 +
=== iked.conf ===
 +
 
 +
We are using certificates (default).
  
 
  vi /etc/iked.conf
 
  vi /etc/iked.conf
Line 92: Line 108:
 
Use:
 
Use:
  
  ikev2 "vpn" passive ipcomp esp \
+
  ikev2 "vpn" passive esp \
        from 0.0.0.0/0 to 0.0.0.0/0 \
+
from 0.0.0.0/0 to 0.0.0.0/0 \
        from ::0/0 to ::0/0 \
+
from ::0/0 to ::0/0 \
        local egress peer any \
+
local egress peer any \
        psk "XXXXX" \
+
ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group modp2048 \
        config address 172.24.24.0/24 \
+
childsa enc aes-256 auth hmac-sha2-256 group modp2048 \
        config address 2001:470:8c78:a0::/64 \
+
srcid swtch.mgk.ro \
        config name-server 172.24.24.1 \
+
config address 172.24.24.0/24 \
        config name-server 2001:470:8c78:a0::1 \
+
config address 2001:470:203a:a0::/64 \
        tag "vpn" tap enc0
+
config name-server 172.24.24.1 \
 +
config name-server 2001:470:203a:a0::1 \
 +
tag "$name-$id"
  
 
Enable the service:
 
Enable the service:
Line 131: Line 149:
 
=== Apple ===
 
=== Apple ===
  
Use the hostname of the server for both "server address" and "remote ID". "Local ID" can be blank. Use authentication setting "none", and fill the "shared secret".
+
You need [https://itunes.apple.com/us/app/apple-configurator-2/id1037126344?mt=12 Apple Configurator 2] to create a MDM profile.
 +
 
 +
Use the hostname of the server for both "server address" and "remote ID". "Local ID" should be the FQDN you used when creating the client certificate. Load the exported certificates (both the CA and the client certificate) in the MDM profile.
  
 
== References ==
 
== References ==
Line 141: Line 161:
 
* [https://tools.ietf.org/html/rfc5996 RFC5996 | Internet Key Exchange Protocol Version 2 (IKEv2)]
 
* [https://tools.ietf.org/html/rfc5996 RFC5996 | Internet Key Exchange Protocol Version 2 (IKEv2)]
 
* [https://tools.ietf.org/html/rfc2401 RFC2401 | Security Architecture for the Internet Protocol]
 
* [https://tools.ietf.org/html/rfc2401 RFC2401 | Security Architecture for the Internet Protocol]
 +
* [https://www.going-flying.com/blog/protecting-my-macos-and-ios-devices-with-an-openbsd-vpn.html Protecting my macOS and iOS devices with an OpenBSD VPN]

Latest revision as of 16:07, 10 May 2019


Introduction

We'll implement a VPN gateway IPSec/IKEv2 because it's natively supported both by clients (Linux/Windows/macOS) and the server (OpenBSD), no extra software required.

Prerequisites

Make sure you have OpenBSD installed. All the command below run as root. We assume both IPv4 and IPv6 (for IPv6 see e.g. OpenBSD HE IPv6 tunnel).

Enabled IP forwarding

echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf
echo 'net.inet6.ip6.forwarding=1' >> /etc/sysctl.conf
sysctl net.inet.ip.forwarding=1
sysctl net.inet6.ip6.forwarding=1

Create virtual network interface

echo 'inet 172.24.24.1 255.255.255.0 172.24.24.255' > /etc/hostname.enc0
echo 'inet6 2001:470:8c78:a0::1 64' >> /etc/hostname.enc0
echo 'up' >> /etc/hostname.enc0

Configure unbound, so VPN clients can have DNS server

vi /var/unbound/etc/unbound.conf

Use:

server:
	interface: 172.24.24.1
	interface: 2001:470:8c78:a0::1
	interface: 127.0.0.1
	interface: ::1

	access-control: 0.0.0.0/0 refuse
	access-control: ::0/0 refuse
	access-control: 127.0.0.0/8 allow
	access-control: 172.24.24.1/24 allow
	access-control: 2001:470:8c78::/48 allow
	access-control: ::1 allow

	do-not-query-localhost: no
	hide-identity: yes
	hide-version: yes

forward-zone:
	name: "."
	forward-addr: 74.82.42.42	# he.net
	forward-addr: 2001:470:20::2	# he.net v6

remote-control:
	control-enable: yes
	control-use-cert: no
	control-interface: /var/run/unbound.sock

Enable the service:

rcctl enable unbound

Configure the firewall

The firewall should do some sort of NAT. I'm not sure if the config below does more than it needs to, but it seems to work.

cat <<EOF >/etc/pf.conf
set skip on lo

block return    # block stateless traffic
pass            # establish keep-state

# NAT
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
pass quick proto udp from any to self port {isakmp, ipsec-nat-t} keep state
pass on enc0 from any to self keep state (if-bound)

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
EOF
pfctl -f  /etc/pf.conf

Configure iked

Create the CA and the client certificates

ikectl ca VPN create
ikectl ca VPN install
ikectl ca VPN certificate swtch.mgk.ro create server
ikectl ca VPN certificate swtch.mgk.ro install
ikectl ca VPN certificate emerald.local create client
ikectl ca VPN certificate emerald.local install

ikectl ca VPN certificate emerald.local export

Move emerald.local.tgz to client machine.

iked.conf

We are using certificates (default).

vi /etc/iked.conf

Use:

ikev2 "vpn" passive esp \
	from 0.0.0.0/0 to 0.0.0.0/0 \
	from ::0/0 to ::0/0 \
	local egress peer any \
	ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group modp2048 \
	childsa enc aes-256 auth hmac-sha2-256 group modp2048 \
	srcid swtch.mgk.ro \
	config address 172.24.24.0/24 \
	config address 2001:470:203a:a0::/64 \
	config name-server 172.24.24.1 \
	config name-server 2001:470:203a:a0::1 \
	tag "$name-$id"

Enable the service:

chmod 0600 /etc/iked.conf  
rcctl enable iked

Make sure you set iked_flags in /etc/rc.conf.local:

rcctl set iked flags -6

Otherwise you will not have IPv6 connectivity, even outside the VPN!

Restart networking

sh /etc/netstart

Start the daemons

rcctl start unbound
rcctl start iked

Extra firewall

If you have another firewall in front of your VPN gateway, you need to open UDP ports 500, 4500, and ESP (IP protocol 50).

Configure clients

Apple

You need Apple Configurator 2 to create a MDM profile.

Use the hostname of the server for both "server address" and "remote ID". "Local ID" should be the FQDN you used when creating the client certificate. Load the exported certificates (both the CA and the client certificate) in the MDM profile.

References