Vpn /

OpenIKED

Server configuration

iked.conf

Add this to /etc/iked.conf (replace vpn_user_name and vpn_user_password with the username and password you will use to connect, and replace 203.0.113.5 with your server's public IP address and vpn.ircnow.org with vpn.your.domain, i.e.: vpn.user.host.ircnow.org):

doas vi /etc/iked.conf

vpn_user_name = "vpn-user" 
vpn_user_password = "vpn-password"

remote_gw = "203.0.113.5" 
vpn_id = "vpn.ircnow.org" 
client_pool = "10.0.5.0/24" 
client_dns = "203.0.113.5" 

user $vpn_user_name $vpn_user_password
ikev2 'user_vpn' passive esp \
    from any to dynamic \
    local $remote_gw peer any \
    srcid $vpn_id \
    eap "mschap-v2" \
    config address $client_pool \
    config name-server $client_dns \
    tag "ROADW"

The value for the vpn_id macro parameter MUST be different from your IRCnow hostname. For example, if your IRCNow hostname is "user.host.ircnow.org", you should pick something like "vpn.user.host.ircnow.org". Whatever you pick should be a valid hostname that resolves to an IP address. The 'from' rule allows any user to connect. The name-server provides the name-server that vpn clients will use. So in this example, you must have a valid caching name server running on IP 203.0.113.5. Note that these packets will get tagged as ROADW.

pf.conf

iked depends upon packet filter being enabled. First, you must make sure to enable packet filter if it is off:

doas pfctl -e

Add this to /etc/pf.conf:

doas vi /etc/pf.conf

pass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED
pass in inet proto esp tag IKED
pass on enc0 inet tagged ROADW
match out on $ext_if inet tagged ROADW nat-to ext_if
match in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53

where ext_if is your external interface.

To find your external interface, type:

ifconfig

The external interface is the one with the public IP address. If OpenBSD is run on a virtual machine, the external interface is probably vio0.

To reload the new pf ruleset:

doas pfctl -f /etc/pf.conf 

Certificates

At this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. From the command line, run:

# ikectl ca vpn create
# ikectl ca vpn install

certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt
CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl

# ikectl ca vpn certificate vpn.user.host.ircnow.org create
# ikectl ca vpn certificate vpn.user.host.ircnow.org install

writing RSA key

Replace vpn.user.host.ircnow.org with the hostname you picked for the value of vpn_id in iked.conf.

Client configuration