Wiki
External Links
Public Directory
Search Site
Puffy Security
OpenIKED "Off-Shore" Style Tunneling VPN Gateway
This Wiki page will walk through the setup of an OpenIKED "Off-Shore" style tunneling VPN which becomes the default route for VPN clients and NATs the client traffic out to the internet. The setup supports clients behind a home NAT and uses RSA keys for Authentication.
Covered is the setup of an OpenIKED server on OpenBSD 5.6 -current,
and an OpenIKED Client on OpenBSD 5.6 -current. The client is also
assumed to be behind a home NAT and have an IPv4 address
in a private network range 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
on its egress interface.
Table of Contents
- Configure Server and Client OS
- Create Public Key Infrastructure
- Configure OpenBSD PF Firewall
- Configure OpenIKED
- How to add extra FLOWS
1 Configure Server and Client OS
You must enable IPv4 Forwarding, IP compression, and bring up the
enc0 interface on both the Server and the Client.
1.1 Enable IP Forwarding
sysctl net.inet.ip.forwarding=1
echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf
1.2 Enable IP Compression
sysctl net.inet.ipcomp.enable=1
echo 'net.inet.ipcomp.enable=1' >> /etc/sysctl.conf
1.3 Enable enc0 Interface
echo up > /etc/hostname.enc0
sh /etc/netstart enc0
2 Create Public Key Infrastructure
Note: The certificate name must match the Common Name in the certificate.
Really, the alternative DNS: name must match the Common Name and
the ikectl adds the certificate name as an alternative DNS: name.
I find it best to use the Servers public IP address as the certificate name and Common Name. The behind NAT Client certificate can use the hostname of the client computer or the clients email address instead.
ikectl ca ikectl.ca create
ikectl ca ikectl.ca certificate 127.88.32.103 create
ikectl ca ikectl.ca certificate behind.nat.host.example.com create
tar -C /etc/ssl -czpf ikectl.ca.tar.gz ikectl.ca
chmod 640 ikectl.ca.tar.gz
scp /etc/ssl/ikectl.ca.tar.gz user@127.88.32.103:
user@127.88.32.103 $ su - root
root@127.88.32.103 # tar -C /etc/ssl -xzpf /home/user/ikectl.ca.tar.gz
root@127.88.32.103 # rm /home/user/ikectl.ca.tar.gz
root@127.88.32.103 # ikectl ca ikectl.ca install
root@127.88.32.103 # ikectl ca ikectl.ca certificate 127.88.32.103 install
scp /etc/ssl/ikectl.ca.tar.gz user@behind.nat.host.example.com:
user@behind.nat.host $ su - root
root@behind.nat.host # tar -C /etc/ssl -xzpf /home/user/ikectl.ca.tar.gz
root@behind.nat.host # rm /home/user/ikectl.ca.tar.gz
root@behind.nat.host # ikectl ca ikectl.ca install
root@behind.nat.host # ikectl ca ikectl.ca certificate behind.nat.host.example.com install
3 Configure OpenBSD PF Firewall
3.1 VPN Server
The following OpenBSD 5.6 PF firewall configuration will:
- Reassemble Fragmented Packets
- Return ICMP for dropped packets
- Enable logging on egress interface group
- Allow everything on loopback interface group and enc interface group
- Scrub Packets of weirdness
- Define table
<bruteforce> - Set Default policy for in to Drop and Log
- Drop
urpf-failedpackets add labeluRPF - Drop packets from IPs in
<bruteforce>table - Randomize TCP Sequence Numbers
- Allow
isakmpandipsec-nat-tin on egress interface group - Allow
AH, andESPin on egress interface group - PAT/NAT-Overload packets forwarding out an egress interface
- With a source IP in a private subnet
- And dose not have a destination IP in a private subnet
- Respond to ICMPv4 Echo-Requests and Destination-Unreachable
- Allow SSH connections
- Limit 15 connections from a Source IP
- Limit 15 Connection Attempts in 5 minute window
- Violating IPs are added to
<bruteforce>table and associated states flushed
3.1.1 /etc/pf.conf
File Permissions: -rw------- 1 root wheel
set reassemble yes
set block-policy return
set loginterface egress
set skip on { lo, enc }
match in all scrub (no-df random-id max-mss 1440)
table <bruteforce> persist
block in log
block in quick from urpf-failed label uRPF
block quick from <bruteforce>
pass out all modulate state
pass in on egress proto udp from any to any port { isakmp, ipsec-nat-t }
pass in on egress proto { ah, esp }
pass out on egress \
from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } \
to { ! 10.0.0.0/8, ! 172.16.0.0/12, ! 192.168.0.0/16 } \
nat-to (egress)
pass in quick inet proto icmp icmp-type { echoreq, unreach }
pass in quick proto tcp from any \
to (egress) port ssh \
flags S/SA modulate state \
(max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)
3.2 VPN Client
The following OpenBSD 5.6 PF firewall configuration will:
- Reassemble Fragmented Packets
- Return ICMP for dropped packets
- Enable logging on egress interface group
- Allow everything on loopback interface group and enc interface group
- Scrub Packets of weirdness
- Define table
<bruteforce> - Set Default policy for in to Drop and Log
- Drop
urpf-failedpackets add labeluRPF - Drop packets from IPs in
<bruteforce>table - Randomize TCP Sequence Numbers
- Respond to ICMPv4 Echo-Requests and Destination-Unreachable
- Allow SSH connections
- Limit 15 connections from a Source IP
- Limit 15 Connection Attempts in 5 minute window
- Violating IPs are added to
<bruteforce>table and associated states flushed
3.2.1 /etc/pf.conf
File Permissions: -rw------- 1 root wheel
set reassemble yes
set block-policy return
set loginterface egress
set skip on { lo, enc }
match in all scrub (no-df random-id max-mss 1440)
table <bruteforce> persist
block in log
block in quick from urpf-failed label uRPF
block quick from <bruteforce>
pass out all modulate state
pass in quick inet proto icmp icmp-type { echoreq, unreach }
pass in quick proto tcp from any \
to (egress) port ssh \
flags S/SA modulate state \
(max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)
4 Configure OpenIKED
4.1 VPN Server
Note: The srcid must match the Server SSL Certificate's Common Name.
4.1.1 /etc/iked.conf
File Permissions: -rw------- 1 root wheel
ikev2 passive ipcomp esp \
from 0.0.0.0/0 to 10.0.0.0/8 \
from 0.0.0.0/0 to 172.16.0.0/12 \
from 0.0.0.0/0 to 192.168.0.0/16 \
local 127.88.32.103 peer any \
srcid 127.88.32.103 \
tag IKED
4.2 VPN Client
Note: The srcid must match the Client SSL Certificate's Common Name.
4.2.1 /etc/iked.conf
File Permissions: -rw------- 1 root wheel
ikev2 active ipcomp esp \
from 10.0.0.0/8 to 0.0.0.0/0 \
from 172.16.0.0/12 to 0.0.0.0/0 \
from 192.168.0.0/16 to 0.0.0.0/0 \
peer 127.88.32.103 \
srcid behind.nat.host.example.com \
tag IKED
5 How to add extra FLOWS
You can add extra ipsec FLOWS, in addition to, the flows setup by
OpenIKED. I use this to allow local LAN traffic to bypass
the VPN.
To do this, you can add flow's to /etc/ipsec.conf and then enable
ipsec in /etc/rc.conf.local so it will add the additional flows
automatically. The FLOWS on the Server and Client do not need to
match. So, flows on the Client can be more restrictive then on the
Server.
5.1 VPN Client
5.1.1 Enable Additional FLOWS at Boot
echo 'ipsec=YES' >> /etc/rc.conf.local
echo 'ipsec_rules=/etc/ipsec.conf' >> /etc/rc.conf.local
5.1.2 /etc/ipsec.conf
File Permissions: -rw------- 1 root wheel
flow esp out from 10.0.0.0/8 to 10.0.0.0/8 type bypass
flow esp out from 172.16.0.0/12 to 172.16.0.0/12 type bypass
flow esp out from 192.168.0.0/16 to 192.168.0.0/16 type bypass
5.1.3 Load, Remove, and View FLOWS
You can now add the flows from the running kernel and remove them by hand. This is useful for testing. I assume this is how GUI's setup extra FLOWS for IP addresses which could only be known in real time.
5.1.3.1 Load FLOWS
ipsecctl -f /etc/ipsec.conf
5.1.3.2 Remove FLOWS
ipsecctl -df /etc/ipsec.conf
5.1.3.3 View FLOWS
ipsecctl -sa
Last Edited: Fri Mar 20 19:37.26 UTC 2015
# vim: set ts=4 sw=4 tw=80 et :
|
Powered By: OpenBSD, OpenNTPD, OpenIKED, OpenSSH, OpenSMTPD, LibreSSL, and mandoc This site Copyright © 2015 Thomas Dwyer . |