687
edits
Changes
→Create VPN CA and client certificates
== Configure iked ==
vi /etc/iked.conf
Use:
ikev2 "vpn" passive ipcomp esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ from ::0/0 to ::0/0 \ local egress peer any \ psk "XXXXX" ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group modp2048 \ childsa enc aes-256 auth hmac-sha2-256 group modp2048 \ srcid swtch.mgk.ro \ config address 172.24.24.0/24 \ config address 2001:470:8c78203a:a0::/64 \ config name-server 172.24.24.1 \ config name-server 2001:470:8c78203a:a0::1 \ tag "vpn$name-$id" tap enc0
Enable the service:
=== Apple ===
You need [https://itunes.apple.com/us/app/apple-configurator-2/id1037126344?mt=12 Apple Configurator 2] to create a MDM profile. Use the hostname of the server for both "server address" and "remote ID". "Local ID" can should be blankthe FQDN you used when creating the client certificate. Use authentication setting "none", Load the exported certificates (both the CA and fill the "shared secret"client certificate) in the MDM profile.
== References ==
* [https://tools.ietf.org/html/rfc5996 RFC5996 | Internet Key Exchange Protocol Version 2 (IKEv2)]
* [https://tools.ietf.org/html/rfc2401 RFC2401 | Security Architecture for the Internet Protocol]
* [https://www.going-flying.com/blog/protecting-my-macos-and-ios-devices-with-an-openbsd-vpn.html Protecting my macOS and iOS devices with an OpenBSD VPN]