This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
vpn:openbsd [2019/11/07 07:52] jrmu |
vpn:openbsd [2020/06/14 03:57] (current) jrmu |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== OpenBSD 6.6 on amd64 ====== | + | ====== OpenBSD 6.6 on amd64 ====== |
- | Add this to /etc/iked.conf (for IP 123.45.67.8): | + | Add this to /etc/iked.conf (replace 203.0.113.5 with your server's public IP address): |
<code> | <code> | ||
Line 7: | Line 7: | ||
ikev2 'vpn.ircnow.org' passive esp \ | ikev2 'vpn.ircnow.org' passive esp \ | ||
from 0.0.0.0/0 to 0.0.0.0/0 \ | from 0.0.0.0/0 to 0.0.0.0/0 \ | ||
- | local 123.45.67.8 peer any \ | + | local 203.0.113.5 peer any \ |
srcid vpn.ircnow.org \ | srcid vpn.ircnow.org \ | ||
eap "mschap-v2" \ | eap "mschap-v2" \ | ||
config address 10.0.5.0/24 \ | config address 10.0.5.0/24 \ | ||
- | config name-server 123.45.67.8 \ | + | config name-server 203.0.113.5 \ |
tag "ROADW" | tag "ROADW" | ||
</code> | </code> | ||
+ | |||
+ | The 'from' rule allows any user to connect. The name-server provides the name-server that vpn clients will use. So in this example, you must have a valid caching name server running on IP 203.0.113.5. Note that these packets will get tagged as ROADW. | ||
Add this to /etc/pf.conf: | Add this to /etc/pf.conf: | ||
Line 25: | Line 27: | ||
</code> | </code> | ||
- | (Note that in pf.conf, we had defined this earlier) | + | where ext_if is your external interface. |
- | + | ||
- | <code> | + | |
- | ext_if = "em0" | + | |
- | </code> | + | |
To reload the new pf ruleset: | To reload the new pf ruleset: | ||
Line 36: | Line 34: | ||
$ doas pfctl -f /etc/pf.conf | $ doas pfctl -f /etc/pf.conf | ||
</code> | </code> | ||
+ | |||
+ | At this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. From the command line, run: | ||
<code> | <code> | ||
Line 66: | Line 66: | ||
<code> | <code> | ||
- | outgoing-interface: 123.45.67.8 | + | outgoing-interface: 203.0.113.5 |
access-control: 10.0.0.0/8 allow | access-control: 10.0.0.0/8 allow | ||
... | ... | ||
Line 90: | Line 90: | ||
<code> | <code> | ||
- | $ awk '!/^ *#/ && NF' hosts # taken from stevenblack's list | + | $ awk '!/^ *#/ && NF' hosts > newhosts # taken from stevenblack's list |
$ sed 's/0\.0\.0\.0 \([^#]*\).*$/local-zone: "\1" static/' newhosts > newhosts2 | $ sed 's/0\.0\.0\.0 \([^#]*\).*$/local-zone: "\1" static/' newhosts > newhosts2 | ||
- | $ sed 's/ "/"' newhosts2 > newhosts3 | + | $ sed 's/ "/"/' newhosts2 > newhosts3 |
</code> | </code> | ||
Manually check for malformed entries, then put this into /var/unbound/etc/unbound.conf. | Manually check for malformed entries, then put this into /var/unbound/etc/unbound.conf. | ||
+ | |||
+ | Does this need to be added to /etc/sysctl.conf: | ||
+ | |||
+ | <code> | ||
+ | net.inet.ip.forwarding=1 | ||
+ | net.inet.ipcomp.enable=1 | ||
+ | net.inet.esp.enable=1 | ||
+ | net.inet.ah.enable=1 | ||
+ | </code> | ||
+ | |||
To start iked, | To start iked, | ||
Line 108: | Line 118: | ||
<code> | <code> | ||
- | $ doas iked -dv | + | $ doas iked -6 -dv |
</code> | </code> | ||
+ | |||
+ | Note: You may consider using blacklists from here: | ||
+ | https://dsi.ut-capitole.fr/blacklists/index_en.php | ||
+ | https://github.com/4skinSkywalker/anti-porn-hosts-file/blob/master/HOSTS.txt | ||
+ | https://mirror1.malwaredomains.com/files/justdomains https://blocklist.site/app/dl/piracy https://blocklist.site/app/dl/torrent https://mirror1.malwaredomains.com/files/justdomains https://github.com/mmotti/pihole-regex/blob/master/regex.list https://blocklist.site/app/dl/porn | ||
+ | |||
+ | Banned networks: | ||
+ | |||
+ | irc.p2p-network.net | ||
+ | irc.gazellegames.net | ||
+ | irc.nzbs.in |