Site Index
 Wiki

External Links
 Public Directory

Search Site


 

Puffy Security


OpenIKED "Off-Shore" Style Tunneling VPN Gateway

This Wiki page will walk through the setup of an OpenIKED "Off-Shore" style tunneling VPN which becomes the default route for VPN clients and NATs the client traffic out to the internet. The setup supports clients behind a home NAT and uses RSA keys for Authentication.

Covered is the setup of an OpenIKED server on OpenBSD 5.6 -current, and an OpenIKED Client on OpenBSD 5.6 -current. The client is also assumed to be behind a home NAT and have an IPv4 address in a private network range 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 on its egress interface.

Table of Contents

  1. Configure Server and Client OS
    1. Enable IP Forwarding
    2. Enable IP Compression
    3. Enable enc0 Interface
  2. Create Public Key Infrastructure
  3. Configure OpenBSD PF Firewall
    1. VPN Server
      1. /etc/pf.conf
    2. VPN Client
      1. /etc/pf.conf
  4. Configure OpenIKED
    1. VPN Server
      1. /etc/iked.conf
    2. VPN Client
      1. /etc/iked.conf
  5. How to add extra FLOWS
    1. VPN Client
      1. Enable Additional FLOWS at Boot
      2. /etc/ipsec.conf
      3. Load, Remove, and View FLOWS
        1. Load FLOWS
        2. Remove FLOWS
        3. View FLOWS

1 Configure Server and Client OS

You must enable IPv4 Forwarding, IP compression, and bring up the enc0 interface on both the Server and the Client.

1.1 Enable IP Forwarding

    sysctl net.inet.ip.forwarding=1
    echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf

1.2 Enable IP Compression

    sysctl net.inet.ipcomp.enable=1
    echo 'net.inet.ipcomp.enable=1' >> /etc/sysctl.conf

1.3 Enable enc0 Interface

    echo up > /etc/hostname.enc0
    sh /etc/netstart enc0

2 Create Public Key Infrastructure

Note: The certificate name must match the Common Name in the certificate. Really, the alternative DNS: name must match the Common Name and the ikectl adds the certificate name as an alternative DNS: name.

I find it best to use the Servers public IP address as the certificate name and Common Name. The behind NAT Client certificate can use the hostname of the client computer or the clients email address instead.

    ikectl ca ikectl.ca create
    ikectl ca ikectl.ca certificate 127.88.32.103 create
    ikectl ca ikectl.ca certificate behind.nat.host.example.com create


    tar -C /etc/ssl -czpf ikectl.ca.tar.gz ikectl.ca
    chmod 640 ikectl.ca.tar.gz


    scp /etc/ssl/ikectl.ca.tar.gz user@127.88.32.103:
    user@127.88.32.103 $ su - root
    root@127.88.32.103 # tar -C /etc/ssl -xzpf /home/user/ikectl.ca.tar.gz
    root@127.88.32.103 # rm /home/user/ikectl.ca.tar.gz
    root@127.88.32.103 # ikectl ca ikectl.ca install
    root@127.88.32.103 # ikectl ca ikectl.ca certificate 127.88.32.103 install


    scp /etc/ssl/ikectl.ca.tar.gz user@behind.nat.host.example.com:
    user@behind.nat.host $ su - root
    root@behind.nat.host # tar -C /etc/ssl -xzpf /home/user/ikectl.ca.tar.gz
    root@behind.nat.host # rm /home/user/ikectl.ca.tar.gz
    root@behind.nat.host # ikectl ca ikectl.ca install
    root@behind.nat.host # ikectl ca ikectl.ca certificate behind.nat.host.example.com install

3 Configure OpenBSD PF Firewall

3.1 VPN Server

The following OpenBSD 5.6 PF firewall configuration will:

  • Reassemble Fragmented Packets
  • Return ICMP for dropped packets
  • Enable logging on egress interface group
  • Allow everything on loopback interface group and enc interface group
  • Scrub Packets of weirdness
  • Define table <bruteforce>
  • Set Default policy for in to Drop and Log
  • Drop urpf-failed packets add label uRPF
  • Drop packets from IPs in <bruteforce> table
  • Randomize TCP Sequence Numbers
  • Allow isakmp and ipsec-nat-t in on egress interface group
  • Allow AH, and ESP in on egress interface group
  • PAT/NAT-Overload packets forwarding out an egress interface
    • With a source IP in a private subnet
    • And dose not have a destination IP in a private subnet
  • Respond to ICMPv4 Echo-Requests and Destination-Unreachable
  • Allow SSH connections
    • Limit 15 connections from a Source IP
    • Limit 15 Connection Attempts in 5 minute window
    • Violating IPs are added to <bruteforce> table and associated states flushed

3.1.1 /etc/pf.conf

File Permissions: -rw------- 1 root wheel

    set reassemble yes
    set block-policy return
    set loginterface egress
    set skip on { lo, enc }

    match in all scrub (no-df random-id max-mss 1440)

    table <bruteforce> persist

    block in log
    block in quick from urpf-failed label uRPF
    block quick from <bruteforce>

    pass out all modulate state

    pass in on egress proto udp from any to any port { isakmp, ipsec-nat-t }
    pass in on egress proto { ah, esp }
    pass out on egress \
        from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } \
        to { ! 10.0.0.0/8, ! 172.16.0.0/12, ! 192.168.0.0/16 } \
        nat-to (egress)

    pass in quick inet proto icmp icmp-type { echoreq, unreach }

    pass in quick proto tcp from any \
        to (egress) port ssh \
        flags S/SA modulate state \
        (max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)

3.2 VPN Client

The following OpenBSD 5.6 PF firewall configuration will:

  • Reassemble Fragmented Packets
  • Return ICMP for dropped packets
  • Enable logging on egress interface group
  • Allow everything on loopback interface group and enc interface group
  • Scrub Packets of weirdness
  • Define table <bruteforce>
  • Set Default policy for in to Drop and Log
  • Drop urpf-failed packets add label uRPF
  • Drop packets from IPs in <bruteforce> table
  • Randomize TCP Sequence Numbers
  • Respond to ICMPv4 Echo-Requests and Destination-Unreachable
  • Allow SSH connections
    • Limit 15 connections from a Source IP
    • Limit 15 Connection Attempts in 5 minute window
    • Violating IPs are added to <bruteforce> table and associated states flushed

3.2.1 /etc/pf.conf

File Permissions: -rw------- 1 root wheel

    set reassemble yes
    set block-policy return
    set loginterface egress
    set skip on { lo, enc }

    match in all scrub (no-df random-id max-mss 1440)

    table <bruteforce> persist

    block in log
    block in quick from urpf-failed label uRPF
    block quick from <bruteforce>

    pass out all modulate state

    pass in quick inet proto icmp icmp-type { echoreq, unreach }

    pass in quick proto tcp from any \
        to (egress) port ssh \
        flags S/SA modulate state \
        (max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)

4 Configure OpenIKED

4.1 VPN Server

Note: The srcid must match the Server SSL Certificate's Common Name.

4.1.1 /etc/iked.conf

File Permissions: -rw------- 1 root wheel

    ikev2 passive ipcomp esp \
        from 0.0.0.0/0 to 10.0.0.0/8 \
        from 0.0.0.0/0 to 172.16.0.0/12 \
        from 0.0.0.0/0 to 192.168.0.0/16 \
        local 127.88.32.103 peer any \
        srcid 127.88.32.103 \
        tag IKED

4.2 VPN Client

Note: The srcid must match the Client SSL Certificate's Common Name.

4.2.1 /etc/iked.conf

File Permissions: -rw------- 1 root wheel

    ikev2 active ipcomp esp \
        from 10.0.0.0/8 to 0.0.0.0/0 \
        from 172.16.0.0/12 to 0.0.0.0/0 \
        from 192.168.0.0/16 to 0.0.0.0/0 \
        peer 127.88.32.103 \
        srcid behind.nat.host.example.com \
        tag IKED

5 How to add extra FLOWS

You can add extra ipsec FLOWS, in addition to, the flows setup by OpenIKED. I use this to allow local LAN traffic to bypass the VPN.

To do this, you can add flow's to /etc/ipsec.conf and then enable ipsec in /etc/rc.conf.local so it will add the additional flows automatically. The FLOWS on the Server and Client do not need to match. So, flows on the Client can be more restrictive then on the Server.

5.1 VPN Client

5.1.1 Enable Additional FLOWS at Boot

    echo 'ipsec=YES' >> /etc/rc.conf.local
    echo 'ipsec_rules=/etc/ipsec.conf' >> /etc/rc.conf.local

5.1.2 /etc/ipsec.conf

File Permissions: -rw------- 1 root wheel

    flow esp out from 10.0.0.0/8 to 10.0.0.0/8 type bypass
    flow esp out from 172.16.0.0/12 to 172.16.0.0/12 type bypass
    flow esp out from 192.168.0.0/16 to 192.168.0.0/16 type bypass

5.1.3 Load, Remove, and View FLOWS

You can now add the flows from the running kernel and remove them by hand. This is useful for testing. I assume this is how GUI's setup extra FLOWS for IP addresses which could only be known in real time.

5.1.3.1 Load FLOWS

    ipsecctl -f /etc/ipsec.conf

5.1.3.2 Remove FLOWS

    ipsecctl -df /etc/ipsec.conf

5.1.3.3 View FLOWS

    ipsecctl -sa



Last Edited: Fri Mar 20 19:37.26 UTC 2015

# vim: set ts=4 sw=4 tw=80 et :

Powered By: OpenBSD, OpenNTPD, OpenIKED, OpenSSH, OpenSMTPD, LibreSSL, and mandoc
This site Copyright © 2015 Thomas Dwyer .