IRCNow

You are here: start » vpn » openbsd

This is an old revision of the document!

OpenBSD 6.6 on amd64

Add this to /etc/iked.conf (for IP 123.45.67.8): 

user 'username' 'password'
ikev2 'vpn.ircnow.org' passive esp \
    from 0.0.0.0/0 to 0.0.0.0/0 \
    local 123.45.67.8 peer any \
    srcid vpn.ircnow.org \
    eap "mschap-v2" \
    config address 10.0.5.0/24 \
    config name-server 123.45.67.8 \
    tag "ROADW"

Add this to /etc/pf.conf: 

pass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED
pass in inet proto esp tag IKED
pass on enc0 inet tagged ROADW
match out on $ext_if inet tagged ROADW nat-to $ext_if
match in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53

(Note that in pf.conf, we had defined this earlier) 

ext_if = "em0"

To reload the new pf ruleset: 

$ doas pfctl -f /etc/pf.conf 
# ikectl ca vpn create
# ikectl ca vpn install
certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt
CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl
# ikectl ca vpn certificate server1.domain create
# ikectl ca vpn certificate server1.domain install
writing RSA key
# cp /etc/iked/ca/ca.crt /var/www/htdocs/

We will use unbound as the caching DNS resolver. Our servers have static IP addresses so we do not use DHCP (if DHCP is used, you must ignore the provided name servers):

/etc/resolv.conf: 

nameserver 127.0.0.1
lookup file bind

/etc/resolv.conf.tail: 

lookup file bind

/var/unbound/etc/unbound.conf: 

outgoing-interface: 123.45.67.8
access-control: 10.0.0.0/8 allow
...

local-zone: "www.domain.com" static

...

forward-zone:
forward-addr: 185.121.177.177
forward-addr: 169.239.202.202

...

The local-zone lines are only needed if you want to filter/censor domains. You can obtain a list of domains to block using StevenBlack's hosts files. I used the unified hosts + porn + gambling filter to block unwanted content. 

$ curl -L -O https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts

We need to reformat this hosts file: 

$ awk '!/^ *#/ && NF' hosts # taken from stevenblack's list
$ sed 's/0\.0\.0\.0 \([^#]*\).*$/local-zone: "\1" static/' newhosts > newhosts2
$ sed 's/  "/"' newhosts2 > newhosts3

Manually check for malformed entries, then put this into /var/unbound/etc/unbound.conf.

To start iked, 

$ doas rcctl enable iked
$ doas rcctl set iked flags -6
$ doas rcctl start iked

To turn on debugging, replace the last step with: 

$ doas iked -dv
Last modified: 2019/11/07 07:52
Except where otherwise noted, content on this wiki is licensed under the following license: IRCNow
Translations of this page: