Differences

This shows you the differences between two versions of the page.

--- vpn:openbsd [2019/11/07 07:37]
jrmu
+++ vpn:openbsd [2020/06/14 03:57] (current)
jrmu
@@ Line 1: / Line 1: @@
-====== OpenBSD 6.6 on amd64 ======
+ ====== OpenBSD 6.6 on amd64 ======
-Add this to /etc/iked.conf (for IP 123.45.67.8):
+Add this to /etc/iked.conf (replace 203.0.113.5 with your server's public IP address):
 <code>
@@ Line 7: / Line 7: @@
 ikev2 'vpn.ircnow.org' passive esp \
     from 0.0.0.0/0 to 0.0.0.0/0 \
-    local 123.45.67.8 peer any \
+    local 203.0.113.5 peer any \
     srcid vpn.ircnow.org \
     eap "mschap-v2" \
     config address 10.0.5.0/24 \
-    config name-server 123.45.67.8 \
+    config name-server 203.0.113.5 \
     tag "ROADW"
 </code>
+The 'from' rule allows any user to connect. The name-server provides the name-server that vpn clients will use. So in this example, you must have a valid caching name server running on IP 203.0.113.5. Note that these packets will get tagged as ROADW.
 Add this to /etc/pf.conf:
@@ Line 25: / Line 27: @@
 </code>
-(Note that in pf.conf, we had defined this earlier)
+where ext_if is your external interface.
-<code>
-ext_if = "em0"
-</code>
 To reload the new pf ruleset:
@@ Line 36: / Line 34: @@
 $ doas pfctl -f /etc/pf.conf
 </code>
+At this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. From the command line, run:
 <code>
@@ Line 47: / Line 47: @@
 # cp /etc/iked/ca/ca.crt /var/www/htdocs/
 </code>
+We will use unbound as the caching DNS resolver. Our servers have static IP addresses so we do not use DHCP (if DHCP is used, you must ignore the provided name servers):
+/etc/resolv.conf:
+<code>
+nameserver 127.0.0.1
+lookup file bind
+</code>
+/etc/resolv.conf.tail:
+<code>
+lookup file bind
+</code>
+/var/unbound/etc/unbound.conf:
+<code>
+outgoing-interface: 203.0.113.5
+access-control: 10.0.0.0/8 allow
+...
+local-zone: "www.domain.com" static
+...
+forward-zone:
+forward-addr: 185.121.177.177
+forward-addr: 169.239.202.202
+...
+</code>
+The local-zone lines are only needed if you want to filter/censor domains. You can obtain a list of domains to block using [[https://github.com/StevenBlack/hosts|StevenBlack's hosts]] files. I used the [[https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts|unified hosts + porn + gambling]] filter to block unwanted content.
+<code>
+$ curl -L -O https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts
+</code>
+We need to reformat this hosts file:
+<code>
+$ awk '!/^ *#/ && NF' hosts > newhosts # taken from stevenblack's list
+$ sed 's/0\.0\.0\.0 \([^#]*\).*$/local-zone: "\1" static/' newhosts > newhosts2
+$ sed 's/  "/"/' newhosts2 > newhosts3
+</code>
+Manually check for malformed entries, then put this into /var/unbound/etc/unbound.conf.
+Does this need to be added to /etc/sysctl.conf:
+<code>
+net.inet.ip.forwarding=1
+net.inet.ipcomp.enable=1
+net.inet.esp.enable=1
+net.inet.ah.enable=1
+</code>
 To start iked,
@@ Line 59: / Line 118: @@
 <code>
-$ doas iked -dv
+$ doas iked -6 -dv
 </code>
+Note: You may consider using blacklists from here:
+https://dsi.ut-capitole.fr/blacklists/index_en.php
+https://github.com/4skinSkywalker/anti-porn-hosts-file/blob/master/HOSTS.txt
+https://mirror1.malwaredomains.com/files/justdomains https://blocklist.site/app/dl/piracy https://blocklist.site/app/dl/torrent https://mirror1.malwaredomains.com/files/justdomains https://github.com/mmotti/pihole-regex/blob/master/regex.list https://blocklist.site/app/dl/porn
+Banned networks:
+irc.p2p-network.net
+irc.gazellegames.net
+irc.nzbs.in

IRCNow

Page Tools

Site Tools

User Tools

Differences