Difference between revisions of "OpenBSD VPN gateway using IPSec/IKEv2"

From Aram's Wiki
Jump to: navigation, search
(Configure iked)
Line 111: Line 111:
  
 
Use the hostname of the server for both "server address" and "remote ID". "Local ID" can be blank. Use authentication setting "none", and fill the "shared secret".
 
Use the hostname of the server for both "server address" and "remote ID". "Local ID" can be blank. Use authentication setting "none", and fill the "shared secret".
 +
 +
== References ==
 +
 +
* [https://man.openbsd.org/iked.conf.5 iked.conf(5)]
 +
* [https://man.openbsd.org/unbound.conf unbound.conf(5)]
 +
* [https://man.openbsd.org/pf.conf pf.conf(5)]
 +
* [https://tools.ietf.org/html/rfc5996 RFC5996 | Internet Key Exchange Protocol Version 2 (IKEv2)]
 +
* [https://tools.ietf.org/html/rfc2401 RFC2401 | Security Architecture for the Internet Protocol]

Revision as of 20:34, 5 February 2019

Introduction

We'll implement a VPN gateway IPSec/IKEv2 because it's natively supported both by clients (Linux/Windows/macOS) and the server (OpenBSD), no extra software required.

Prerequisites

Make sure you have OpenBSD installed. All the command below run as root.

Enabled IP forwarding

echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf
sysctl net.inet.ip.forwarding=1

Create virtual network interface

echo 'inet 172.24.24.1 255.255.255.0 172.24.24.255' > /etc/hostname.enc0
echo 'up' >> /etc/hostname.enc0

Configure unbound, so VPN clients can have DNS server

vi /var/unbound/etc/unbound.conf

Use:

server:
	interface: 172.24.24.1
	interface: 127.0.0.1
	interface: ::1

	access-control: 0.0.0.0/0 refuse
	access-control: ::0/0 refuse
	access-control: 127.0.0.0/8 allow
	access-control: 172.24.24.1/24 allow
	access-control: ::1 allow

	do-not-query-localhost: no
	hide-identity: yes
	hide-version: yes

forward-zone:
	name: "."
	forward-addr: 74.82.42.42	# he.net
	forward-addr: 2001:470:20::2	# he.net v6

remote-control:
	control-enable: yes
	control-use-cert: no
	control-interface: /var/run/unbound.sock

Enable the service:

rcctl enable unbound

Configure the firewall

The firewall should do some sort of NAT. I'm not sure if the config below does more than it needs to, but it seems to work.

cat <<EOF >/etc/pf.conf
set skip on lo

block return    # block stateless traffic
pass            # establish keep-state

# NAT
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
pass quick proto udp from any to self port {isakmp, ipsec-nat-t} keep state
pass on enc0 from any to self keep state (if-bound)

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
EOF
pfctl -f  /etc/pf.conf

Configure iked

So far we are using pre shared keys.

vi /etc/iked.conf

Use:

ikev2 "vpn" passive ipcomp esp \
	from 0.0.0.0/0 to 0.0.0.0/0 \
	local egress peer any \
	psk "XXXXXXXXXXX" \
	config address 172.24.24.0/24 \
	config name-server 172.24.24.1 \
	tag "vpn" tap enc0

Enable the service:

chmod 0600 /etc/iked.conf  
rcctl enable iked

Restart networking

sh /etc/netstart

Start the daemons

rcctl start unbound
rcctl start iked

Configure clients

Apple

Use the hostname of the server for both "server address" and "remote ID". "Local ID" can be blank. Use authentication setting "none", and fill the "shared secret".

References