Changes

Jump to: navigation, search

OpenBSD VPN gateway using IPSec/IKEv2

1,531 bytes added, 16:07, 10 May 2019
Create VPN CA and client certificates
[[Category:OpenBSD]]
[[Category:VPN]]
[[Category:Networking]]
 
== Introduction ==
== Prerequisites ==
Make sure you have [[OpenBSD Post Install Steps|OpenBSD installed]]. All the command below run as root. We assume both IPv4 and IPv6 (for IPv6 see e.g. [[OpenBSD HE IPv6 tunnel]]).
== Enabled IP forwarding ==
echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf
echo 'net.inet6.ip6.forwarding=1' >> /etc/sysctl.conf
sysctl net.inet.ip.forwarding=1
sysctl net.inet6.ip6.forwarding=1
== Create virtual network interface ==
echo 'inet 172.24.24.1 255.255.255.0 172.24.24.255' > /etc/hostname.enc0
echo 'inet6 2001:470:8c78:a0::1 64' >> /etc/hostname.enc0
echo 'up' >> /etc/hostname.enc0
server:
interface: 172.24.24.1
interface: 2001:470:8c78:a0::1
interface: 127.0.0.1
interface: ::1
access-control: 127.0.0.0/8 allow
access-control: 172.24.24.1/24 allow
access-control: 2001:470:8c78::/48 allow
access-control: ::1 allow
== Configure iked ==
So far we === Create the CA and the client certificates ===  ikectl ca VPN create ikectl ca VPN install ikectl ca VPN certificate swtch.mgk.ro create server ikectl ca VPN certificate swtch.mgk.ro install ikectl ca VPN certificate emerald.local create client ikectl ca VPN certificate emerald.local install ikectl ca VPN certificate emerald.local export Move emerald.local.tgz to client machine. === iked.conf === We are using pre shared keyscertificates (default).
vi /etc/iked.conf
Use:
ikev2 "vpn" passive ipcomp esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
from ::0/0 to ::0/0 \
local egress peer any \
psk "XXXXXXXXXXX" ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group modp2048 \ childsa enc aes-256 auth hmac-sha2-256 group modp2048 \ srcid swtch.mgk.ro \
config address 172.24.24.0/24 \
config address 2001:470:203a:a0::/64 \
config name-server 172.24.24.1 \
config name-server 2001:470:203a:a0::1 \ tag "vpn$name-$id" tap enc0
Enable the service:
Make sure you set iked_flags in /etc/rc.conf.local:
iked_flags=rcctl set iked flags -6
Otherwise you will not have IPv6 connectivity, even outside the VPN!
rcctl start unbound
rcctl start iked
 
== Extra firewall ==
 
If you have another firewall in front of your VPN gateway, you need to open UDP ports 500, 4500, and ESP (IP protocol 50).
== Configure clients ==
=== Apple ===
You need [https://itunes.apple.com/us/app/apple-configurator-2/id1037126344?mt=12 Apple Configurator 2] to create a MDM profile. Use the hostname of the server for both "server address" and "remote ID". "Local ID" can should be blankthe FQDN you used when creating the client certificate. Use authentication setting "none", Load the exported certificates (both the CA and fill the "shared secret"client certificate) in the MDM profile.
== References ==
* [https://tools.ietf.org/html/rfc5996 RFC5996 | Internet Key Exchange Protocol Version 2 (IKEv2)]
* [https://tools.ietf.org/html/rfc2401 RFC2401 | Security Architecture for the Internet Protocol]
* [https://www.going-flying.com/blog/protecting-my-macos-and-ios-devices-with-an-openbsd-vpn.html Protecting my macOS and iOS devices with an OpenBSD VPN]
Retrieved from "https://xw.is/wiki/Special:MobileDiff/308...424"

Navigation menu