Configuring OpenIKED
(redirected from Openbsd.Iked)
OpenIKED is OpenBSD's native VPN solution. It is included with the base system, so no installation will be necessary. It allows us to use IPSec to provide users with a VPN for security, privacy, and freedom of information.
Pros:
- Clean
- Secure
- Interoperable
- Simple to Configure
This configuration is for a road warrior setup, where a user wants to connect his device to a network (rather than connecting two networks).
Configure iked.conf
Add this to /etc/iked.conf (replace 203.0.113.5 with your server's public IP address and vpn.ircnow.org with your domain):
user 'username' 'password' ikev2 'vpn.ircnow.org' passive esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ local 203.0.113.5 peer any \ srcid vpn.ircnow.org \ eap "mschap-v2" \ config address 10.0.5.0/24 \ config name-server 203.0.113.5 \ tag "ROADW"
The 'from' rule allows any user to connect. The name-server provides the name-server that vpn clients will use. So in this example, you must have a valid caching name server running on IP 203.0.113.5. Note that these packets will get tagged as ROADW.
iked depends upon packet filter being enabled. First, you must make sure to enable packet filter if it is off:
$ doas pfctl -e
Add this to /etc/pf.conf:
pass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED pass in inet proto esp tag IKED pass on enc0 inet tagged ROADW match out on $ext_if inet tagged ROADW nat-to $ext_if match in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53
where ext_if is your external interface.
To find your external interface, type:
$ ifconfig
The external interface is the one with the public IP address. If OpenBSD is run on a virtual machine, the external interface is probably vio0.
To reload the new pf ruleset:
$ doas pfctl -f /etc/pf.conf
At this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. From the command line, run:
# ikectl ca vpn create # ikectl ca vpn install certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl # ikectl ca vpn certificate example.com create # ikectl ca vpn certificate example.com install writing RSA key
Replace example.com
with your actual domain.
Users of the VPN will need to download /etc/iked/ca/ca.crt
to their device. The easiest way is to use openhttpd and serve the file over the web.
# cp /etc/iked/ca/ca.crt /var/www/htdocs/example.com/ # chown www:daemon /var/www/htdocs/example.com/ca.crt
If the web server is configured correctly, users can then download the file at https://example.com/ca.crt
.
We will use unbound as the caching DNS resolver. Our servers have static IP addresses so we do not use DHCP (if DHCP is used, you must ignore the provided name servers):
/etc/resolv.conf:
nameserver 127.0.0.1 lookup file bind
/etc/resolv.conf.tail:
lookup file bind
/var/unbound/etc/unbound.conf:
outgoing-interface: 203.0.113.5 access-control: 10.0.0.0/8 allow ... local-zone: "www.domain.com" static ... forward-zone: forward-addr: 185.121.177.177 forward-addr: 169.239.202.202 ...
The local-zone lines are only needed if you want to filter/censor domains. You can obtain a list of domains to block using StevenBlack's hosts files. I used the unified hosts + porn + gambling filter to block unwanted content.
$ ftp https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts
We need to reformat this hosts file:
$ awk '!/^ *#/ && NF' hosts > newhosts # taken from stevenblack's list $ sed 's/0\.0\.0\.0 \([^#]*\).*$/local-zone: "\1" static/' newhosts > newhosts2 $ sed 's/ "/"/' newhosts2 > newhosts3
Manually check for malformed entries, then put this into /var/unbound/etc/unbound.conf.
Add this to /etc/sysctl.conf:
net.inet.ip.forwarding=1 net.inet6.ip6.forwarding=1 net.inet.ipcomp.enable=1 net.inet.esp.enable=1 net.inet.ah.enable=1
Run this once:
$ doas sysctl net.inet.ip.forwarding=1 $ doas sysctl net.inet6.ip6.forwarding=1 $ doas sysctl net.inet.ipcomp.enable=1 $ doas sysctl net.inet.esp.enable=1 $ doas sysctl net.inet.ah.enable=1
IP forwarding allows the server to forward the user's packets to their final destination.
Tighten file permissions, then start iked:
$ doas chmod 0600 /etc/iked.conf $ doas rcctl enable iked $ doas rcctl start iked
Note: You may consider using blacklists from here: https://dsi.ut-capitole.fr/blacklists/index_en.php https://github.com/4skinSkywalker/anti-porn-hosts-file/blob/master/HOSTS.txt https://mirror1.malwaredomains.com/files/justdomains https://blocklist.site/app/dl/piracy https://blocklist.site/app/dl/torrent https://mirror1.malwaredomains.com/files/justdomains https://github.com/mmotti/pihole-regex/blob/master/regex.list https://blocklist.site/app/dl/porn
Banned networks:
irc.p2p-network.net irc.gazellegames.net irc.nzbs.in
Troubleshooting
Running iked in debug mode can provide valuable info about errors in configuration.
First, turn off iked if it is running:
$ doas rcctl stop iked
Check to make sure no iked processes are running:
$ ps ax | grep iked
Then, run iked in debug mode:
$ doas iked -dv
-d will cause iked to not daemonize, and -v will report errors verbosely.