betabug... Sascha Welter

home english | home deutsch | Site Map | Sascha | Kontakt | Pro | Weblog | Wiki

OpenBSD VPN setup

OpenBSD, server side VPN setup

On OpenBSD 4.6-stable, I'm using this as my /etc/ipsec.conf files:

ike passive from any to any \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes \
psk super_secret_pskey_goes_here

Obviously I'm using a real, secret PSK key here, generated as instructed in the man page to give me 160bit of entropy.

Future plans would be to upgrade to public key authentication.

isakmpd and sysctl setup

I've followed the usual instructions to set up stuff with sysctl(3) for ESP and AH (see man ipsec) and for NAT. I'm running isakmpd with a simple isakmpd -K4 -- yeah, I don't have any IPv6 yet, blame me if you run out of IPs any day now.

Also I've set /etc/hostname.enc0 to up.

In these steps the IPsec on openbsd chapter of "Building VPNs on OpenBSD" was very helpful. There actually is a lot of info in the man pages, but sometimes a greenhorn needs to be taken by the hand to find a starting point.

pf.conf, as specific to ipsec

There is some stuff specific to IPsec in my pf.conf file, mostly this is taken from the mentioned IPsec on openbsd chapter:

# ... lots of other stuff ...

# NAT for the VPN
nat on $ext_if from !($ext_if) -> ($ext_if:0)

# ... more stuff, starting with a ``block in all``, till we get to the ``pass out`` rules ... and finally
# vpn stuff:
pass out on $ext_if inet proto esp from $ext_if to any \
     queue(std_out, ssh_im_out)
pass out on $ext_if inet proto udp from $ext_if to any \
     port {isakmp, ipsec-nat-t}
pass out on enc0 inet proto ipencap from $ext_if to any \
     keep state (if-bound)
pass out on enc0 inet from $int_if:network to any keep state (if-bound)

# ... we than have lots of other stuff again ... until we get to the ``pass in`` rules ... and finally to
# vpn stuff:
pass in on $ext_if inet proto esp from any to $ext_if
pass in on $ext_if inet proto udp from any to $ext_if port {isakmp, ipsec-nat-t}
pass in on enc0 inet proto ipencap from any to $ext_if keep state (if-bound)
pass in on enc0 inet from any to $int_if:network keep state (if-bound)

# after which I have *this*, which I'm not sure I need... I should try with/without it and see :-)
# for VPN, may be redundant:
set skip on enc0