Open main menu

Aram's Wiki β

Changes

OpenBSD VPN gateway using IPSec/IKEv2

2,647 bytes added, 20:17, 5 February 2019
Created page with "== Introduction == We'll implement a VPN gateway IPSec/IKEv2 because it's supported natively both by clients (linux/windows/macOS) and the server (OpenBSD), no extra software..."
== Introduction ==

We'll implement a VPN gateway IPSec/IKEv2 because it's supported natively both by clients (linux/windows/macOS) and the server (OpenBSD), no extra software required.

== Prerequisites ==

Make sure you have [[OpenBSD Post Install Steps|OpenBSD installed]]. All the command below run as root.

== Enabled IP forwarding ==

echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf

== Create virtual network interface ==

echo 'inet 172.24.24.1 255.255.255.0 172.24.24.255' > /etc/hostname.enc0
echo 'up' >> /etc/hostname.enc0

== Configure unbound, so VPN clients can have DNS server ==

cat <<EOF >/var/unbound/etc/unbound.conf
server:
interface: 172.24.24.1
interface: 127.0.0.1
interface: ::1

access-control: 0.0.0.0/0 refuse
access-control: ::0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 172.24.24.1/24 allow
access-control: ::1 allow

do-not-query-localhost: no
hide-identity: yes
hide-version: yes

forward-zone:
name: "."
forward-addr: 74.82.42.42 # he.net
forward-addr: 2001:470:20::2 # he.net v6

remote-control:
control-enable: yes
control-use-cert: no
control-interface: /var/run/unbound.sock
EOF
rcctl enable unbound

== Configure the firewall ==

The firewall should do some sort of NAT. I'm not sure if the config below does more than it needs to, but it seems to work.

cat <<EOF >/etc/pf.conf
set skip on lo

block return # block stateless traffic
pass # establish keep-state

# NAT
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
pass quick proto udp from any to self port {isakmp, ipsec-nat-t} keep state
pass on enc0 from any to self keep state (if-bound)

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
EOF
pfctl -f /etc/pf.conf

== Configure iked ==

So far we are using pre shared keys.

cat <<EOF >/etc/iked.conf
ikev2 "vpn" passive ipcomp esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
local egress peer any \
psk "XXXXXXXXXXX" \
config address 172.24.24.0/24 \
config name-server 172.24.24.1 \
tag "vpn" tap enc0
EOF
chmod 0600 /etc/iked.conf
rcctl enable iked

== Restart networking ==

sh /etc/netstart

== Start the daemons ==

rcctl start unbound
rcctl start iked

== Configure clients ==

=== Apple ===

Use the hostname of the server for both "server address" and "remote ID". "Local ID" can be blank. Use authentication setting "none", and fill the "shared secret".