This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
vpn:openbsd [2019/11/07 07:47] jrmu |
vpn:openbsd [2020/06/14 03:57] (current) jrmu |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== OpenBSD 6.6 on amd64 ====== | + | ====== OpenBSD 6.6 on amd64 ====== |
| - | Add this to /etc/iked.conf (for IP 123.45.67.8): | + | Add this to /etc/iked.conf (replace 203.0.113.5 with your server's public IP address): |
| <code> | <code> | ||
| Line 7: | Line 7: | ||
| ikev2 'vpn.ircnow.org' passive esp \ | ikev2 'vpn.ircnow.org' passive esp \ | ||
| from 0.0.0.0/0 to 0.0.0.0/0 \ | from 0.0.0.0/0 to 0.0.0.0/0 \ | ||
| - | local 123.45.67.8 peer any \ | + | local 203.0.113.5 peer any \ |
| srcid vpn.ircnow.org \ | srcid vpn.ircnow.org \ | ||
| eap "mschap-v2" \ | eap "mschap-v2" \ | ||
| config address 10.0.5.0/24 \ | config address 10.0.5.0/24 \ | ||
| - | config name-server 123.45.67.8 \ | + | config name-server 203.0.113.5 \ |
| tag "ROADW" | tag "ROADW" | ||
| </code> | </code> | ||
| + | |||
| + | The 'from' rule allows any user to connect. The name-server provides the name-server that vpn clients will use. So in this example, you must have a valid caching name server running on IP 203.0.113.5. Note that these packets will get tagged as ROADW. | ||
| Add this to /etc/pf.conf: | Add this to /etc/pf.conf: | ||
| Line 25: | Line 27: | ||
| </code> | </code> | ||
| - | (Note that in pf.conf, we had defined this earlier) | + | where ext_if is your external interface. |
| - | + | ||
| - | <code> | + | |
| - | ext_if = "em0" | + | |
| - | </code> | + | |
| To reload the new pf ruleset: | To reload the new pf ruleset: | ||
| Line 36: | Line 34: | ||
| $ doas pfctl -f /etc/pf.conf | $ doas pfctl -f /etc/pf.conf | ||
| </code> | </code> | ||
| + | |||
| + | At this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. From the command line, run: | ||
| <code> | <code> | ||
| Line 66: | Line 66: | ||
| <code> | <code> | ||
| - | outgoing-interface: 123.45.67.8 | + | outgoing-interface: 203.0.113.5 |
| access-control: 10.0.0.0/8 allow | access-control: 10.0.0.0/8 allow | ||
| ... | ... | ||
| Line 81: | Line 81: | ||
| </code> | </code> | ||
| - | The local-zone lines are only needed if you want to filter/censor domains. You can obtain a list of domains to block using [[https://github.com/StevenBlack/hosts|StevenBlack's hosts]] files. I used the blacklists to [[https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts|unified hosts + porn + gambling]] filter. | + | The local-zone lines are only needed if you want to filter/censor domains. You can obtain a list of domains to block using [[https://github.com/StevenBlack/hosts|StevenBlack's hosts]] files. I used the [[https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts|unified hosts + porn + gambling]] filter to block unwanted content. |
| <code> | <code> | ||
| Line 90: | Line 90: | ||
| <code> | <code> | ||
| - | $ awk '!/^ *#/ && NF' hosts # taken from stevenblack's list | + | $ awk '!/^ *#/ && NF' hosts > newhosts # taken from stevenblack's list |
| $ sed 's/0\.0\.0\.0 \([^#]*\).*$/local-zone: "\1" static/' newhosts > newhosts2 | $ sed 's/0\.0\.0\.0 \([^#]*\).*$/local-zone: "\1" static/' newhosts > newhosts2 | ||
| - | $ sed 's/ "/"' newhosts2 > newhosts3 | + | $ sed 's/ "/"/' newhosts2 > newhosts3 |
| </code> | </code> | ||
| Manually check for malformed entries, then put this into /var/unbound/etc/unbound.conf. | Manually check for malformed entries, then put this into /var/unbound/etc/unbound.conf. | ||
| + | |||
| + | Does this need to be added to /etc/sysctl.conf: | ||
| + | |||
| + | <code> | ||
| + | net.inet.ip.forwarding=1 | ||
| + | net.inet.ipcomp.enable=1 | ||
| + | net.inet.esp.enable=1 | ||
| + | net.inet.ah.enable=1 | ||
| + | </code> | ||
| + | |||
| To start iked, | To start iked, | ||
| Line 108: | Line 118: | ||
| <code> | <code> | ||
| - | $ doas iked -dv | + | $ doas iked -6 -dv |
| </code> | </code> | ||
| + | |||
| + | Note: You may consider using blacklists from here: | ||
| + | https://dsi.ut-capitole.fr/blacklists/index_en.php | ||
| + | https://github.com/4skinSkywalker/anti-porn-hosts-file/blob/master/HOSTS.txt | ||
| + | https://mirror1.malwaredomains.com/files/justdomains https://blocklist.site/app/dl/piracy https://blocklist.site/app/dl/torrent https://mirror1.malwaredomains.com/files/justdomains https://github.com/mmotti/pihole-regex/blob/master/regex.list https://blocklist.site/app/dl/porn | ||
| + | |||
| + | Banned networks: | ||
| + | |||
| + | irc.p2p-network.net | ||
| + | irc.gazellegames.net | ||
| + | irc.nzbs.in | ||