Configuring OpenIKED

(redirected from Openbsd.Iked)

(:redirect iked/roadwarrior:)

OpenIKED is OpenBSD's native VPN solution. It is included with the base system, so no installation will be necessary. It allows us to use IPSec to provide users with a VPN for security, privacy, and freedom of information.

Pros:

  • Clean
  • Secure
  • Interoperable
  • Simple to Configure

In this guide, we configure a server to provide ipsec for devices in a road warrior setup: a user wants to relay all his traffic from a single device through the VPS to the Internet. Only the server needs a public IP address.; the end-user can be behind a NAT.

Note: If you are trying to connect two networks together, consult the site-to-site ipsec guide.

Before You Begin

Make sure to read the FAQ's VPN guide and the manual pages for iked and iked.conf.

Configure iked.conf

Add this to /etc/iked.conf (replace username and password with your actual username and password; replace 172.16.0.1 with your server's public IP address; and replace example.com with your actual hostname):

gateway = "172.16.0.1"
hostname = "example.com"
pool = "10.0.5.0/24"
dns = "172.16.0.1"

user 'username' 'password'
ikev2 $hostname passive esp \
    from any to dynamic \
    local $gateway peer any \
    srcid $hostname \
    eap "mschap-v2" \
    config address $pool \
    config name-server $dns \
    tag "ROADW"

You must replace example.com with be a valid hostname that resolves to an IP address. Leave pool as 10.0.5.0/24.

from any to dynamic allows any user to connect. $dns must provide the IP address for the name server that vpn clients will use. This example assumes you have a valid caching name server configured and listening on IP 172.16.0.1.

These packets will get tagged as ROADW.

iked depends upon packet filter being enabled. First, enable packet filter if it is turned off:

$ doas pfctl -e

Next, add this to /etc/pf.conf:

pass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED
pass in inet proto esp tag IKED
pass on enc0 inet tagged ROADW
match out on $ext_if inet tagged ROADW nat-to $ext_if
match in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53

where $ext_if is your external interface.

NOTICE: You must make sure that your firewall whitelists VPN traffic. You might consider adding this macro:

VPN = "10.0.5.0/24"

To find your external interface, type:

$ ifconfig

The external interface is the one with the public IP address. If OpenBSD is run inside vmm, the external interface is probably vio0.

To reload the new pf ruleset:

$ doas pfctl -f /etc/pf.conf 

At this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. From the command line, run this as root:

# ikectl ca vpn create
# ikectl ca vpn install
certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt
CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl
# ikectl ca vpn certificate example.com create
# ikectl ca vpn certificate example.com install
writing RSA key

Replace example.com with your actual domain.

Users of the VPN will need to download /etc/iked/ca/ca.crt to their device. The easiest way is to use openhttpd and serve the file over the web.

# cp /etc/iked/ca/ca.crt /var/www/htdocs/example.com/
# chown www:daemon /var/www/htdocs/example.com/ca.crt

If the web server is configured correctly, users can then download the file at https://example.com/ca.crt.

Configuring DNS

This example uses unbound as the caching DNS resolver. It assumes your server has its IP addresses statically assigned and is not using DHCP to locate its name servers.

Replace /etc/resolv.conf with the following:

nameserver 127.0.0.1
lookup file bind

Edit the following values in /var/unbound/etc/unbound.conf:

outgoing-interface: 172.16.0.1
access-control: 10.0.0.0/8 allow

We recommend configuring domain blacklists for unbound to block unwanted traffic.

Edit /etc/sysctl.conf to include these directives:

net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
net.inet.ipcomp.enable=1
net.inet.esp.enable=1
net.inet.ah.enable=1

Next, run these commands as root:

sysctl net.inet.ip.forwarding=1
sysctl net.inet6.ip6.forwarding=1
sysctl net.inet.ipcomp.enable=1
sysctl net.inet.esp.enable=1
sysctl net.inet.ah.enable=1

IP forwarding allows the server to forward the user's packets to their final destination.

Tighten file permissions, then start iked:

$ doas chmod 0600 /etc/iked.conf
$ doas rcctl enable iked
$ doas rcctl start iked

Troubleshooting

Running iked in debug mode can provide valuable info about errors in configuration.

First, turn off iked if it is running:

$ doas rcctl stop iked

Check to make sure no iked processes are running:

$ ps ax | grep iked

Then, run iked in debug mode:

$ doas iked -dv

-d will cause iked to not daemonize, and -v will report errors verbosely.