Blame
Date:
Mon Jan 23 05:00:25 2023 UTC
Message:
Daily backup
001
2023-01-22
jrmu
version=pmwiki-2.2.130 ordered=1 urlencoded=1
002
2023-01-22
jrmu
agent=w3m/0.5.3+git20210102
003
2023-01-22
jrmu
author=jrmu
004
2023-01-22
jrmu
charset=UTF-8
005
2023-01-22
jrmu
csum=
006
2023-01-22
jrmu
ctime=1615256737
007
2023-01-22
jrmu
host=38.87.162.154
008
2023-01-22
jrmu
name=Iked.Configure
009
2023-01-22
jrmu
rev=29
010
2023-01-22
jrmu
targets=Unbound.Configure,Pf.Guide,IP.Myaddress,Vmm.Install,Openhttpd.Configure,Unbound.Blacklists
011
2023-01-22
jrmu
text=(:title Configuring OpenIKED:)%0a%0aOpenIKED is OpenBSD's native VPN solution. It is included with the base system,%0aso no installation will be necessary. It allows us to use IPSec to provide%0ausers with a VPN for security, privacy, and freedom of information.%0a%0aPros:%0a%0a* Clean%0a* Secure%0a* Interoperable%0a* Simple to Configure%0a%0aThis configuration is for a road warrior setup, where a user wants to connect his device to a network (rather than connecting two networks).%0a%0a!! Before You Begin%0a%0aMake sure to read the [[https://www.openbsd.org/faq/faq17.html|FAQ's VPN guide]] and the manual pages for [[https://man.openbsd.org/iked|iked]] and [[https://man.openbsd.org/iked.conf|iked.conf]].%0a%0a!! Configure iked.conf%0a%0aAdd this to /etc/iked.conf (replace @@username@@ and @@password@@ with your actual username and password; replace @@172.16.0.1@@ with your server's public IP address; and replace @@example.com@@ with your actual hostname):%0a%0a[@%0agateway = "172.16.0.1"%0ahostname = "example.com"%0apool = "10.0.5.0/24"%0adns = "172.16.0.1"%0a%0auser 'username' 'password'%0aikev2 $hostname passive esp \%0a from any to dynamic \%0a local $gateway peer any \%0a srcid $hostname \%0a eap "mschap-v2" \%0a config address $pool \%0a config name-server $dns \%0a tag "ROADW"%0a@]%0a%0aYou must replace @@example.com@@ with be a valid hostname that resolves to an IP address. Leave pool as @@10.0.5.0/24@@.%0a%0a@@from any to dynamic@@ allows any user to connect. $dns must provide the IP address for the name server that vpn clients will use. This example assumes you have a valid [[unbound/configure|caching name server]] configured and listening on IP 172.16.0.1.%0a%0aThese packets will get tagged as ROADW.%0a%0aiked depends upon packet filter being enabled. First, enable [[pf/guide|packet filter]] if it%0ais turned off:%0a%0a[@%0a$ doas pfctl -e%0a@]%0a%0aNext, add this to /etc/pf.conf:%0a%0a[@%0apass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED%0apass in inet proto esp tag IKED%0apass on enc0 inet tagged ROADW%0amatch out on $ext_if inet tagged ROADW nat-to $ext_if%0amatch in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53%0a@]%0a%0awhere $ext_if is [[IP/Myaddress|your external interface]].%0a%0aTo find your external interface, type:%0a%0a[@%0a$ ifconfig%0a@]%0a%0aThe external interface is the one with the public IP address. If OpenBSD is run inside [[vmm/install|vmm]], the external interface is probably vio0.%0a%0aTo reload the new pf ruleset:%0a%0a[@%0a$ doas pfctl -f /etc/pf.conf %0a@]%0a%0aAt this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. From the command line, run this as root:%0a%0a[@%0a# ikectl ca vpn create%0a# ikectl ca vpn install%0acertificate for CA 'vpn' installed into /etc/iked/ca/ca.crt%0aCRL for CA 'vpn' installed to /etc/iked/crls/ca.crl%0a# ikectl ca vpn certificate example.com create%0a# ikectl ca vpn certificate example.com install%0awriting RSA key%0a@]%0a%0aReplace @@example.com@@ with your actual domain.%0a%0aUsers of the VPN will need to download @@/etc/iked/ca/ca.crt@@ to their device. The easiest way is to use [[openhttpd/configure|openhttpd]] and serve the file over the web.%0a%0a[@%0a# cp /etc/iked/ca/ca.crt /var/www/htdocs/example.com/%0a# chown www:daemon /var/www/htdocs/example.com/ca.crt%0a@]%0a%0aIf the web server is configured correctly, users can then download the file at @@https://example.com/ca.crt@@.%0a%0a!! Configuring DNS%0a%0aThis example uses [[unbound/configure|unbound]] as the caching DNS resolver. It assumes your server has its IP addresses statically assigned and is not using DHCP to locate its name servers.%0a%0aReplace [[https://man.openbsd.org/resolv.conf|/etc/resolv.conf]] with the following:%0a%0a[@%0anameserver 127.0.0.1%0alookup file bind%0a@]%0a%0aEdit the following values in [[https://man.openbsd.org/unbound.conf|/var/unbound/etc/unbound.conf]]:%0a%0a[@%0aoutgoing-interface: 172.16.0.1%0aaccess-control: 10.0.0.0/8 allow%0a@]%0a%0aWe recommend configuring [[unbound/blacklists|domain blacklists]] for unbound to block unwanted traffic.%0a%0aEdit [[https://man.openbsd.org/sysctl.conf|/etc/sysctl.conf]] to include these directives:%0a%0a[@%0anet.inet.ip.forwarding=1%0anet.inet6.ip6.forwarding=1%0anet.inet.ipcomp.enable=1%0anet.inet.esp.enable=1%0anet.inet.ah.enable=1%0a@]%0a%0aNext, run these commands as root:%0a%0a[@%0asysctl net.inet.ip.forwarding=1%0asysctl net.inet6.ip6.forwarding=1%0asysctl net.inet.ipcomp.enable=1%0asysctl net.inet.esp.enable=1%0asysctl net.inet.ah.enable=1%0a@]%0a%0aIP forwarding allows the server to forward the user's packets to their final destination.%0a%0aTighten file permissions, then start iked:%0a%0a[@%0a$ doas chmod 0600 /etc/iked.conf%0a$ doas rcctl enable iked%0a$ doas rcctl start iked%0a@]%0a%0a!! Troubleshooting%0a%0aRunning iked in debug mode can provide valuable info about errors in configuration.%0a%0aFirst, turn off iked if it is running:%0a%0a[@%0a$ doas rcctl stop iked%0a@]%0a%0aCheck to make sure no iked processes are running:%0a%0a[@%0a$ ps ax | grep iked%0a@]%0a%0aThen, run iked in debug mode:%0a%0a[@%0a$ doas iked -dv%0a@]%0a%0a-d will cause iked to not daemonize, and -v will report errors verbosely.%0a
012
2023-01-22
jrmu
time=1656167319
013
2023-01-22
jrmu
title=Configuring OpenIKED
014
2023-01-22
jrmu
author:1656167319=jrmu
015
2023-01-22
jrmu
diff:1656167319:1656136744:=47c47%0a%3c iked depends upon packet filter being enabled. First, enable [[pf/guide|packet filter]] if it%0a---%0a> iked depends upon packet filter being enabled. First, enable packet filter if it%0a64,65c64,65%0a%3c where $ext_if is [[IP/Myaddress|your external interface]].%0a%3c %0a---%0a> where ext_if is [[IP/Myaddress|your external interface]].%0a> %0a133c133%0a%3c Next, run these commands as root:%0a---%0a> Run these commands as root:%0a
016
2023-01-22
jrmu
host:1656167319=38.87.162.154
017
2023-01-22
jrmu
author:1656136744=jrmu
018
2023-01-22
jrmu
diff:1656136744:1656136155:=103,108c103,106%0a%3c !! Configuring DNS%0a%3c %0a%3c This example uses [[unbound/configure|unbound]] as the caching DNS resolver. It assumes your server has its IP addresses statically assigned and is not using DHCP to locate its name servers.%0a%3c %0a%3c Replace [[https://man.openbsd.org/resolv.conf|/etc/resolv.conf]] with the following:%0a%3c %0a---%0a> This example uses [[unbound/configure|unbound]] as the caching DNS resolver. It assumes your server has its IP addresses statically assigned and is not using DHCP to locate its name servers:%0a> %0a> /etc/resolv.conf:%0a> %0a114,115c112,113%0a%3c Edit the following values in [[https://man.openbsd.org/unbound.conf|/var/unbound/etc/unbound.conf]]:%0a%3c %0a---%0a> /etc/resolv.conf.tail:%0a> %0a117,118c115%0a%3c outgoing-interface: 172.16.0.1%0a%3c access-control: 10.0.0.0/8 allow%0a---%0a> lookup file bind%0a121,124c118,119%0a%3c We recommend configuring [[unbound/blacklists|domain blacklists]] for unbound to block unwanted traffic.%0a%3c %0a%3c Edit [[https://man.openbsd.org/sysctl.conf|/etc/sysctl.conf]] to include these directives:%0a%3c %0a---%0a> /var/unbound/etc/unbound.conf:%0a> %0a126,130c121,133%0a%3c net.inet.ip.forwarding=1%0a%3c net.inet6.ip6.forwarding=1%0a%3c net.inet.ipcomp.enable=1%0a%3c net.inet.esp.enable=1%0a%3c net.inet.ah.enable=1%0a---%0a> outgoing-interface: 172.16.0.1%0a> access-control: 10.0.0.0/8 allow%0a> ...%0a> %0a> local-zone: "www.domain.com" static%0a> %0a> ...%0a> %0a> forward-zone:%0a> forward-addr: 185.121.177.177%0a> forward-addr: 169.239.202.202%0a> %0a> ...%0a133,134c136,137%0a%3c Run these commands as root:%0a%3c %0a---%0a> The local-zone lines are only needed if you want to filter/censor domains. You can obtain a list of domains to block using [[https://github.com/StevenBlack/hosts|StevenBlack's hosts]] files. I used the [[https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts|unified hosts + porn + gambling]] filter to block unwanted content.%0a> %0a136,140c139%0a%3c sysctl net.inet.ip.forwarding=1%0a%3c sysctl net.inet6.ip6.forwarding=1%0a%3c sysctl net.inet.ipcomp.enable=1%0a%3c sysctl net.inet.esp.enable=1%0a%3c sysctl net.inet.ah.enable=1%0a---%0a> $ ftp https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts%0a143,146c142,143%0a%3c IP forwarding allows the server to forward the user's packets to their final destination.%0a%3c %0a%3c Tighten file permissions, then start iked:%0a%3c %0a---%0a> We need to reformat this hosts file:%0a> %0a148,150c145,147%0a%3c $ doas chmod 0600 /etc/iked.conf%0a%3c $ doas rcctl enable iked%0a%3c $ doas rcctl start iked%0a---%0a> $ awk '!/^ *#/ && NF' hosts > newhosts # taken from stevenblack's list%0a> $ sed 's/0\.0\.0\.0 \([^#]*\).*$/local-zone: "\1" static/' newhosts > newhosts2%0a> $ sed 's/ "/"/' newhosts2 > newhosts3%0a151a149,191%0a> %0a> Manually check for malformed entries, then put this into /var/unbound/etc/unbound.conf.%0a> %0a> Add this to /etc/sysctl.conf:%0a> %0a> [@%0a> net.inet.ip.forwarding=1%0a> net.inet6.ip6.forwarding=1%0a> net.inet.ipcomp.enable=1%0a> net.inet.esp.enable=1%0a> net.inet.ah.enable=1%0a> @]%0a> %0a> Run this once:%0a> %0a> [@%0a> $ doas sysctl net.inet.ip.forwarding=1%0a> $ doas sysctl net.inet6.ip6.forwarding=1%0a> $ doas sysctl net.inet.ipcomp.enable=1%0a> $ doas sysctl net.inet.esp.enable=1%0a> $ doas sysctl net.inet.ah.enable=1%0a> @]%0a> %0a> IP forwarding allows the server to forward the user's packets to their final destination.%0a> %0a> Tighten file permissions, then start iked:%0a> %0a> [@%0a> $ doas chmod 0600 /etc/iked.conf%0a> $ doas rcctl enable iked%0a> $ doas rcctl start iked%0a> @]%0a> %0a> Note: You may consider using blacklists from here:%0a> https://dsi.ut-capitole.fr/blacklists/index_en.php%0a> https://github.com/4skinSkywalker/anti-porn-hosts-file/blob/master/HOSTS.txt%0a> https://mirror1.malwaredomains.com/files/justdomains https://blocklist.site/app/dl/piracy https://blocklist.site/app/dl/torrent https://mirror1.malwaredomains.com/files/justdomains https://github.com/mmotti/pihole-regex/blob/master/regex.list https://blocklist.site/app/dl/porn%0a> %0a> Banned networks:%0a> %0a> irc.p2p-network.net%0a> irc.gazellegames.net%0a> irc.nzbs.in%0a
019
2023-01-22
jrmu
host:1656136744=38.87.162.154
020
2023-01-22
jrmu
author:1656136155=jrmu
021
2023-01-22
jrmu
diff:1656136155:1655966039:=22,23c22,23%0a%3c Add this to /etc/iked.conf (replace @@username@@ and @@password@@ with your actual username and password; replace @@172.16.0.1@@ with your server's public IP address; and replace @@example.com@@ with your actual hostname):%0a%3c %0a---%0a> Add this to /etc/iked.conf (replace @@username@@ with your actual username; replace @@172.16.0.1@@ with your server's public IP address; and replace @@example.com@@ with your actual hostname):%0a> %0a41c41%0a%3c You must replace @@example.com@@ with be a valid hostname that resolves to an IP address. Leave pool as @@10.0.5.0/24@@.%0a---%0a> You must replace @@example.com@@ with be a valid hostname that resolves to an IP address.%0a
022
2023-01-22
jrmu
host:1656136155=38.87.162.154
023
2023-01-22
jrmu
author:1655966039=jrmu
024
2023-01-22
jrmu
diff:1655966039:1655965216:=26c26%0a%3c hostname = "example.com"%0a---%0a> name = "example.com"%0a31c31%0a%3c ikev2 $hostname passive esp \%0a---%0a> ikev2 $name passive esp \%0a34c34%0a%3c srcid $hostname \%0a---%0a> srcid $name \%0a
025
2023-01-22
jrmu
host:1655966039=38.87.162.154
026
2023-01-22
jrmu
author:1655965216=jrmu
027
2023-01-22
jrmu
diff:1655965216:1655964502:=22,23c22,23%0a%3c Add this to /etc/iked.conf (replace @@username@@ with your actual username; replace @@172.16.0.1@@ with your server's public IP address; and replace @@example.com@@ with your actual hostname):%0a%3c %0a---%0a> Add this to /etc/iked.conf (replace username and 172.16.0.1 with your server's public IP address and example.com with your domain):%0a> %0a41c41%0a%3c You must replace @@example.com@@ with be a valid hostname that resolves to an IP address.%0a---%0a> @@$name@@ must be a valid hostname that resolves to an IP address.%0a
028
2023-01-22
jrmu
host:1655965216=38.87.162.154
029
2023-01-22
jrmu
author:1655964502=jrmu
030
2023-01-22
jrmu
diff:1655964502:1655795234:=16,19d15%0a%3c !! Before You Begin%0a%3c %0a%3c Make sure to read the [[https://www.openbsd.org/faq/faq17.html|FAQ's VPN guide]] and the manual pages for [[https://man.openbsd.org/iked|iked]] and [[https://man.openbsd.org/iked.conf|iked.conf]].%0a%3c %0a41c37%0a%3c @@$name@@ must be a valid hostname that resolves to an IP address.%0a---%0a> $name must be a valid hostname that resolves to an IP address.%0a
031
2023-01-22
jrmu
host:1655964502=38.87.162.154
032
2023-01-22
jrmu
author:1655795234=jrmu
033
2023-01-22
jrmu
diff:1655795234:1655795052:=76c76%0a%3c At this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. From the command line, run this as root:%0a---%0a> At this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. From the command line, run:%0a
034
2023-01-22
jrmu
host:1655795234=38.87.162.154
035
2023-01-22
jrmu
author:1655795052=jrmu
036
2023-01-22
jrmu
diff:1655795052:1655793929:=42a43,48%0a> iked depends upon packet filter being enabled. First, you must make sure to enable%0a> packet filter if it is off:%0a> %0a> %0a> The 'from' rule allows any user to connect. The name-server provides the name-server that vpn clients will use. So in this example, you must have a valid caching name server running on IP 203.0.113.5. Note that these packets will get tagged as ROADW.%0a> %0a99c105%0a%3c This example uses [[unbound/configure|unbound]] as the caching DNS resolver. It assumes your server has its IP addresses statically assigned and is not using DHCP to locate its name servers:%0a---%0a> We will use unbound as the caching DNS resolver. This configuration assumes your server has its IP addresses statically assigned and is not using DHCP to locate its name servers:%0a
037
2023-01-22
jrmu
host:1655795052=38.87.162.154
038
2023-01-22
jrmu
author:1655793929=tool and jrmu
039
2023-01-22
jrmu
csum:1655793929=Updated config according to suggestions by tool, some other edits by jrmu
040
2023-01-22
jrmu
diff:1655793929:1654700962:=18,19c18,19%0a%3c Add this to /etc/iked.conf (replace username and 172.16.0.1 with your server's public IP address and example.com with your domain):%0a%3c %0a---%0a> Add this to /etc/iked.conf (replace 203.0.113.5 with your server's public IP address and vpn.ircnow.org with your domain):%0a> %0a21,25d20%0a%3c gateway = "172.16.0.1"%0a%3c name = "example.com"%0a%3c pool = "10.0.5.0/24"%0a%3c dns = "172.16.0.1"%0a%3c %0a27,30c22,25%0a%3c ikev2 $name passive esp \%0a%3c from any to dynamic \%0a%3c local $gateway peer any \%0a%3c srcid $name \%0a---%0a> ikev2 'vpn.ircnow.org' passive esp \%0a> from 0.0.0.0/0 to 0.0.0.0/0 \%0a> local 203.0.113.5 peer any \%0a> srcid vpn.ircnow.org \%0a32,33c27,28%0a%3c config address $pool \%0a%3c config name-server $dns \%0a---%0a> config address 10.0.5.0/24 \%0a> config name-server 203.0.113.5 \%0a37,42c32,33%0a%3c $name must be a valid hostname that resolves to an IP address.%0a%3c %0a%3c @@from any to dynamic@@ allows any user to connect. $dns must provide the IP address for the name server that vpn clients will use. This example assumes you have a valid [[unbound/configure|caching name server]] configured and listening on IP 172.16.0.1.%0a%3c %0a%3c These packets will get tagged as ROADW.%0a%3c %0a---%0a> The 'from' rule allows any user to connect. The name-server provides the name-server that vpn clients will use. So in this example, you must have a valid caching name server running on IP 203.0.113.5. Note that these packets will get tagged as ROADW.%0a> %0a46,51d36%0a%3c %0a%3c The 'from' rule allows any user to connect. The name-server provides the name-server that vpn clients will use. So in this example, you must have a valid caching name server running on IP 203.0.113.5. Note that these packets will get tagged as ROADW.%0a%3c %0a%3c iked depends upon packet filter being enabled. First, enable packet filter if it%0a%3c is turned off:%0a%3c %0a56,57c41,42%0a%3c Next, add this to /etc/pf.conf:%0a%3c %0a---%0a> Add this to /etc/pf.conf:%0a> %0a74,75c59,60%0a%3c The external interface is the one with the public IP address. If OpenBSD is run inside [[vmm/install|vmm]], the external interface is probably vio0.%0a%3c %0a---%0a> The external interface is the one with the public IP address. If OpenBSD is run on a virtual machine, the external interface is probably vio0.%0a> %0a105,106c90,91%0a%3c We will use unbound as the caching DNS resolver. This configuration assumes your server has its IP addresses statically assigned and is not using DHCP to locate its name servers:%0a%3c %0a---%0a> We will use unbound as the caching DNS resolver. Our servers have static IP addresses so we do not use DHCP (if DHCP is used, you must ignore the provided name servers):%0a> %0a123c108%0a%3c outgoing-interface: 172.16.0.1%0a---%0a> outgoing-interface: 203.0.113.5%0a
041
2023-01-22
jrmu
host:1655793929=38.87.162.154
042
2023-01-22
jrmu
author:1654700962=miniontoby
043
2023-01-22
jrmu
csum:1654700962=Removed problem since I was dumb
044
2023-01-22
jrmu
diff:1654700962:1654676495:=202a203,222%0a> %0a> %0a> !! Known Problem%0a> %0a> Some users have the problem they cannot get connected%0a> %0a> Firstly run the iked with rcctl (since then we can see all the logs in 1 file)%0a> %0a> Then try to connect to your VPN and then go to your vps and execute [@doas tail /var/log/daemon@]%0a> %0a> What I see is this:%0a> [@%0a> miniontoby iked[24021]: spi=0x1c3b15ac0bd24ffc: recv IKE_SA_INIT req 0 peer 185.61.52.200:279 local 38.87.162.2:500, 1104 bytes, policy 'user_vpn'%0a> miniontoby iked[24021]: spi=0x1c3b15ac0bd24ffc: send IKE_SA_INIT res 0 peer 185.61.52.200:279 local 38.87.162.2:500, 321 bytes%0a> miniontoby relayd[46360]: relay wwwtls, session 108 (1 active), 0, 185.61.52.200 -> :0, Undefined error: 0%0a> @]%0a> %0a> This shows that it does get connected, but it still doesn't work, and as far as I can tell, it might be a problem with relayd...%0a> %0a> '''We don't have the answer of the problem yet, so please come back later!'''%0a
045
2023-01-22
jrmu
host:1654700962=45.136.74.157
046
2023-01-22
jrmu
author:1654676495=miniontoby
047
2023-01-22
jrmu
csum:1654676495=Added the
048
2023-01-22
jrmu
diff:1654676495:1628357021:=203,222d202%0a%3c %0a%3c %0a%3c !! Known Problem%0a%3c %0a%3c Some users have the problem they cannot get connected%0a%3c %0a%3c Firstly run the iked with rcctl (since then we can see all the logs in 1 file)%0a%3c %0a%3c Then try to connect to your VPN and then go to your vps and execute [@doas tail /var/log/daemon@]%0a%3c %0a%3c What I see is this:%0a%3c [@%0a%3c miniontoby iked[24021]: spi=0x1c3b15ac0bd24ffc: recv IKE_SA_INIT req 0 peer 185.61.52.200:279 local 38.87.162.2:500, 1104 bytes, policy 'user_vpn'%0a%3c miniontoby iked[24021]: spi=0x1c3b15ac0bd24ffc: send IKE_SA_INIT res 0 peer 185.61.52.200:279 local 38.87.162.2:500, 321 bytes%0a%3c miniontoby relayd[46360]: relay wwwtls, session 108 (1 active), 0, 185.61.52.200 -> :0, Undefined error: 0%0a%3c @]%0a%3c %0a%3c This shows that it does get connected, but it still doesn't work, and as far as I can tell, it might be a problem with relayd...%0a%3c %0a%3c '''We don't have the answer of the problem yet, so please come back later!'''%0a
049
2023-01-22
jrmu
host:1654676495=185.61.52.200
050
2023-01-22
jrmu
author:1628357021=jrmu
051
2023-01-22
jrmu
diff:1628357021:1628354928:=51c51%0a%3c where ext_if is [[IP/Myaddress|your external interface]].%0a---%0a> where ext_if is your external interface. ([[IP/Myaddress|Read how to find your external interface]])%0a
052
2023-01-22
jrmu
host:1628357021=125.231.70.149
053
2023-01-22
jrmu
author:1628354928=jrmu
054
2023-01-22
jrmu
diff:1628354928:1620873984:=1,8c1,7%0a%3c (:title Configuring OpenIKED:)%0a%3c %0a%3c OpenIKED is OpenBSD's native VPN solution. It is included with the base system,%0a%3c so no installation will be necessary. It allows us to use IPSec to provide%0a%3c users with a VPN for security, privacy, and freedom of information.%0a%3c %0a%3c Pros:%0a%3c %0a---%0a> [+IKED+]%0a> %0a> OpenIKED is a free implementation of IKEv2 protocol which enable us to create VPNs in openBSD. OpenIKED is developed as part of the OpenBSD Project in that way comes with the OS, there is no need to install it.%0a> %0a> OpenIKED focuses mainly:%0a> %0a> * Lean%0a12,19c11,67%0a%3c * Simple to Configure%0a%3c %0a%3c This configuration is for a road warrior setup, where a user wants to connect his device to a network (rather than connecting two networks).%0a%3c %0a%3c !! Configure iked.conf%0a%3c %0a%3c Add this to /etc/iked.conf (replace 203.0.113.5 with your server's public IP address and vpn.ircnow.org with your domain):%0a%3c %0a---%0a> * Configurable%0a> %0a> Now, we'll set up the VPN, both on the server-side and on the client-side%0a> %0a> [+SETTING UP IKED - (SERVER-SIDE)+]%0a> %0a> First we need to add some rules to our pf filters in order to allow IKED, isakmp, ipsec packages pass.%0a> Add this to /etc/pf.conf and make sure that $ext_if match your output interface. If you dont know what is your $ext_if, just issue the following command in your terminal @@$coconut ifconfig@@ and you'll see the interfaces, your $ext_if is the one who has an public IP address, for example it could be vio0.[[%3c%3c]][[%3c%3c]]%0a> add the following lines to the file%0a> @@/etc/pf.conf@@ %0a> %0a> @@pass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED[[%3c%3c]]@@%0a> @@pass in inet proto esp tag IKED[[%3c%3c]]@@%0a> @@pass on enc0 inet tagged ROADW[[%3c%3c]]@@%0a> @@match out on $ext_if inet tagged ROADW nat-to $ext_if[[%3c%3c]]@@%0a> @@match in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53[[%3c%3c]]@@%0a> %0a> Then in order to update the ruleset or apply the changes, we need to reload pf, we could do that with the following line:%0a> %0a> @@$ doas pfctl -f /etc/pf.conf [[%3c%3c]]@@%0a> %0a> At this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. In the part %3cserver1.domain>, replace it with your own domain. From the command line just run:%0a> %0a> %0a> @@$doas ikectl ca vpn create[[%3c%3c]]@@%0a> @@$doas ikectl ca vpn install[[%3c%3c]]@@%0a> @@certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt[[%3c%3c]]@@%0a> @@CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl[[%3c%3c]]@@%0a> @@$doas ikectl ca vpn certificate server1.domain create[[%3c%3c]]@@%0a> @@$doas ikectl ca vpn certificate server1.domain install[[%3c%3c]]@@%0a> @@writing RSA key[[%3c%3c]]@@%0a> %0a> the file we need to export to the clients will be @@/etc/iked/ca/ca.crt@@ we can do that, using scp to copy the file from our server to our local computer or some other application in your phone, there is no need to install scp,scp use the same credentials that ssh use, you can run the following command[[%3c%3c]]%0a> %0a> @@$scp %3cuser>@%3cuser>.coconut.ircnow.org:/etc/iked/ca/ca.crt .@@%0a> %0a> %0a> Make sure to enable IP forwarding. you must be asking Why?, let me explain it, if you dont enable this kernel feature, your server will not act as a router,in other words, it cannot forward packages to their destination, your packages will be able to reach the server, but then they will be stuck there, without possibility to get out from there[[%3c%3c]]%0a> %0a> @@$echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf[[%3c%3c]]@@%0a> @@$echo 'net.inet6.ip6.forwarding=1' >> /etc/sysctl.conf[[%3c%3c]]@@%0a> @@$echo 'net.inet.ipcomp.enable=1' >> /etc/sysctl.conf [[%3c%3c]]@@ %0a> @@$echo 'net.inet.esp.enable=1' >> /etc/sysctl.conf[[%3c%3c]]@@%0a> @@$echo 'net.inet.ah.enable=1' >> /etc/sysctl.conf[[%3c%3c]]@@%0a> @@$sysctl net.inet.ip.forwarding=1[[%3c%3c]]@@%0a> @@$sysctl net.inet6.ip6.forwarding=1[[%3c%3c]]@@%0a> %0a> [[%3c%3c]]%0a> We will use unbound as the caching DNS resolver. Our servers have static IP addresses so we do not use DHCP (if DHCP is used, you must ignore the provided name servers):[[%3c%3c]]%0a> @@/etc/resolv.conf:@@%0a> %0a> nameserver 127.0.0.1%0a> lookup file bind%0a> /etc/resolv.conf.tail:%0a> %0a> lookup file bind%0a> @@/var/unbound/etc/unbound.conf:@@%0a21,29c69,81%0a%3c user 'username' 'password'%0a%3c ikev2 'vpn.ircnow.org' passive esp \%0a%3c from 0.0.0.0/0 to 0.0.0.0/0 \%0a%3c local 203.0.113.5 peer any \%0a%3c srcid vpn.ircnow.org \%0a%3c eap "mschap-v2" \%0a%3c config address 10.0.5.0/24 \%0a%3c config name-server 203.0.113.5 \%0a%3c tag "ROADW"%0a---%0a> outgoing-interface: 203.0.113.5%0a> access-control: 10.0.0.0/8 allow%0a> ...%0a> %0a> local-zone: "www.domain.com" static%0a> %0a> ...%0a> %0a> forward-zone:%0a> forward-addr: 185.121.177.177%0a> forward-addr: 169.239.202.202%0a> %0a> ...%0a32,36c84,88%0a%3c The 'from' rule allows any user to connect. The name-server provides the name-server that vpn clients will use. So in this example, you must have a valid caching name server running on IP 203.0.113.5. Note that these packets will get tagged as ROADW.%0a%3c %0a%3c iked depends upon packet filter being enabled. First, you must make sure to enable%0a%3c packet filter if it is off:%0a%3c %0a---%0a> The local-zone lines are only needed if you want to filter/censor domains. You can obtain a list of domains to block using StevenBlack's hosts files. I used the unified hosts + porn + gambling filter to block unwanted content.[[>>]]%0a> %0a> @@$ curl -L -O https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts@@[[%3c%3c]]%0a> %0a> We need to reformat this hosts file:[[%3c%3c]]%0a38,131d89%0a%3c $ doas pfctl -e%0a%3c @]%0a%3c %0a%3c Add this to /etc/pf.conf:%0a%3c %0a%3c [@%0a%3c pass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED%0a%3c pass in inet proto esp tag IKED%0a%3c pass on enc0 inet tagged ROADW%0a%3c match out on $ext_if inet tagged ROADW nat-to $ext_if%0a%3c match in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53%0a%3c @]%0a%3c %0a%3c where ext_if is your external interface. ([[IP/Myaddress|Read how to find your external interface]])%0a%3c %0a%3c To find your external interface, type:%0a%3c %0a%3c [@%0a%3c $ ifconfig%0a%3c @]%0a%3c %0a%3c The external interface is the one with the public IP address. If OpenBSD is run on a virtual machine, the external interface is probably vio0.%0a%3c %0a%3c To reload the new pf ruleset:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -f /etc/pf.conf %0a%3c @]%0a%3c %0a%3c At this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. From the command line, run:%0a%3c %0a%3c [@%0a%3c # ikectl ca vpn create%0a%3c # ikectl ca vpn install%0a%3c certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt%0a%3c CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl%0a%3c # ikectl ca vpn certificate example.com create%0a%3c # ikectl ca vpn certificate example.com install%0a%3c writing RSA key%0a%3c @]%0a%3c %0a%3c Replace @@example.com@@ with your actual domain.%0a%3c %0a%3c Users of the VPN will need to download @@/etc/iked/ca/ca.crt@@ to their device. The easiest way is to use [[openhttpd/configure|openhttpd]] and serve the file over the web.%0a%3c %0a%3c [@%0a%3c # cp /etc/iked/ca/ca.crt /var/www/htdocs/example.com/%0a%3c # chown www:daemon /var/www/htdocs/example.com/ca.crt%0a%3c @]%0a%3c %0a%3c If the web server is configured correctly, users can then download the file at @@https://example.com/ca.crt@@.%0a%3c %0a%3c We will use unbound as the caching DNS resolver. Our servers have static IP addresses so we do not use DHCP (if DHCP is used, you must ignore the provided name servers):%0a%3c %0a%3c /etc/resolv.conf:%0a%3c %0a%3c [@%0a%3c nameserver 127.0.0.1%0a%3c lookup file bind%0a%3c @]%0a%3c %0a%3c /etc/resolv.conf.tail:%0a%3c %0a%3c [@%0a%3c lookup file bind%0a%3c @]%0a%3c %0a%3c /var/unbound/etc/unbound.conf:%0a%3c %0a%3c [@%0a%3c outgoing-interface: 203.0.113.5%0a%3c access-control: 10.0.0.0/8 allow%0a%3c ...%0a%3c %0a%3c local-zone: "www.domain.com" static%0a%3c %0a%3c ...%0a%3c %0a%3c forward-zone:%0a%3c forward-addr: 185.121.177.177%0a%3c forward-addr: 169.239.202.202%0a%3c %0a%3c ...%0a%3c @]%0a%3c %0a%3c The local-zone lines are only needed if you want to filter/censor domains. You can obtain a list of domains to block using [[https://github.com/StevenBlack/hosts|StevenBlack's hosts]] files. I used the [[https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts|unified hosts + porn + gambling]] filter to block unwanted content.%0a%3c %0a%3c [@%0a%3c $ ftp https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts%0a%3c @]%0a%3c %0a%3c We need to reformat this hosts file:%0a%3c %0a%3c [@%0a135,202c93,123%0a%3c @]%0a%3c %0a%3c Manually check for malformed entries, then put this into /var/unbound/etc/unbound.conf.%0a%3c %0a%3c Add this to /etc/sysctl.conf:%0a%3c %0a%3c [@%0a%3c net.inet.ip.forwarding=1%0a%3c net.inet6.ip6.forwarding=1%0a%3c net.inet.ipcomp.enable=1%0a%3c net.inet.esp.enable=1%0a%3c net.inet.ah.enable=1%0a%3c @]%0a%3c %0a%3c Run this once:%0a%3c %0a%3c [@%0a%3c $ doas sysctl net.inet.ip.forwarding=1%0a%3c $ doas sysctl net.inet6.ip6.forwarding=1%0a%3c $ doas sysctl net.inet.ipcomp.enable=1%0a%3c $ doas sysctl net.inet.esp.enable=1%0a%3c $ doas sysctl net.inet.ah.enable=1%0a%3c @]%0a%3c %0a%3c IP forwarding allows the server to forward the user's packets to their final destination.%0a%3c %0a%3c Tighten file permissions, then start iked:%0a%3c %0a%3c [@%0a%3c $ doas chmod 0600 /etc/iked.conf%0a%3c $ doas rcctl enable iked%0a%3c $ doas rcctl start iked%0a%3c @]%0a%3c %0a%3c Note: You may consider using blacklists from here:%0a%3c https://dsi.ut-capitole.fr/blacklists/index_en.php%0a%3c https://github.com/4skinSkywalker/anti-porn-hosts-file/blob/master/HOSTS.txt%0a%3c https://mirror1.malwaredomains.com/files/justdomains https://blocklist.site/app/dl/piracy https://blocklist.site/app/dl/torrent https://mirror1.malwaredomains.com/files/justdomains https://github.com/mmotti/pihole-regex/blob/master/regex.list https://blocklist.site/app/dl/porn%0a%3c %0a%3c Banned networks:%0a%3c %0a%3c irc.p2p-network.net%0a%3c irc.gazellegames.net%0a%3c irc.nzbs.in%0a%3c %0a%3c !! Troubleshooting%0a%3c %0a%3c Running iked in debug mode can provide valuable info about errors in configuration.%0a%3c %0a%3c First, turn off iked if it is running:%0a%3c %0a%3c [@%0a%3c $ doas rcctl stop iked%0a%3c @]%0a%3c %0a%3c Check to make sure no iked processes are running:%0a%3c %0a%3c [@%0a%3c $ ps ax | grep iked%0a%3c @]%0a%3c %0a%3c Then, run iked in debug mode:%0a%3c %0a%3c [@%0a%3c $ doas iked -dv%0a%3c @]%0a%3c %0a%3c -d will cause iked to not daemonize, and -v will report errors verbosely.%0a---%0a> @][[%3c%3c]]%0a> Manually check for malformed entries, then put this into /var/unbound/etc/unbound.conf.[[%3c%3c]]%0a> %0a> %0a> %0a> %0a> Till now we have configured the pf ruleset, the forwarding features, the DNS resolver and we have the certificates, now we need to configure the IKED itself.%0a> Add this to @@/etc/iked.conf@@ (replace 203.0.113.5 with your server's public IP address and vpn.ircnow.org, with your domain):[[%3c%3c]]%0a> %0a> %0a> @@user 'username' 'password'[[%3c%3c]]@@%0a> @@ ikev2 'vpn.ircnow.org' passive esp \[[%3c%3c]]@@%0a> @@ from 0.0.0.0/0 to 0.0.0.0/0 \[[%3c%3c]]@@%0a> @@ local 203.0.113.5 peer any \[[%3c%3c]]@@%0a> @@ srcid vpn.ircnow.org \[[%3c%3c]]@@%0a> @@ eap "mschap-v2" \[[%3c%3c]]@@%0a> @@ config address 10.0.5.0/24 \[[%3c%3c]]@@%0a> @@ config name-server 203.0.113.5 \[[%3c%3c]]@@%0a> @@ tag "ROADW"[[%3c%3c]]@@%0a> %0a> %0a> Now, all is ready to start our VPN iked,just run the following commands[[%3c%3c]]%0a> @@$ doas chmod 0600 /etc/iked.conf [[%3c%3c]]@@%0a> @@$ doas rcctl enable iked[[%3c%3c]]@@%0a> @@$ doas rcctl start iked[[%3c%3c]]@@%0a> %0a> %0a> [+TROUBLESHOOTING+][[%3c%3c]]%0a> Maybe we couldnt get it running, so we need to start the service in debug mode, just ignore the prior commands and run the following line[[%3c%3c]]%0a> @@$doas iked -dvvv@@[[%3c%3c]]%0a> this will show all the info you need in order the fix the issue%0a\ No newline at end of file%0a
055
2023-01-22
jrmu
host:1628354928=125.231.70.149
056
2023-01-22
jrmu
author:1620873984=st13g
057
2023-01-22
jrmu
diff:1620873984:1620873920:=86,88c86,88%0a%3c @@$ curl -L -O https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts@@[[%3c%3c]]%0a%3c %0a%3c We need to reformat this hosts file:[[%3c%3c]]%0a---%0a> @@$ curl -L -O https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts@@[[>>]]%0a> %0a> We need to reformat this hosts file:[[>>]]%0a93,94c93,94%0a%3c @][[%3c%3c]]%0a%3c Manually check for malformed entries, then put this into /var/unbound/etc/unbound.conf.[[%3c%3c]]%0a---%0a> @][[>>]]%0a> Manually check for malformed entries, then put this into /var/unbound/etc/unbound.conf.[[>>]]%0a
058
2023-01-22
jrmu
host:1620873984=200.121.220.221
059
2023-01-22
jrmu
author:1620873920=st13g
060
2023-01-22
jrmu
diff:1620873920:1620873456:=58,99c58,59%0a%3c [[%3c%3c]]%0a%3c We will use unbound as the caching DNS resolver. Our servers have static IP addresses so we do not use DHCP (if DHCP is used, you must ignore the provided name servers):[[%3c%3c]]%0a%3c @@/etc/resolv.conf:@@%0a%3c %0a%3c nameserver 127.0.0.1%0a%3c lookup file bind%0a%3c /etc/resolv.conf.tail:%0a%3c %0a%3c lookup file bind%0a%3c @@/var/unbound/etc/unbound.conf:@@%0a%3c [@%0a%3c outgoing-interface: 203.0.113.5%0a%3c access-control: 10.0.0.0/8 allow%0a%3c ...%0a%3c %0a%3c local-zone: "www.domain.com" static%0a%3c %0a%3c ...%0a%3c %0a%3c forward-zone:%0a%3c forward-addr: 185.121.177.177%0a%3c forward-addr: 169.239.202.202%0a%3c %0a%3c ...%0a%3c @]%0a%3c %0a%3c The local-zone lines are only needed if you want to filter/censor domains. You can obtain a list of domains to block using StevenBlack's hosts files. I used the unified hosts + porn + gambling filter to block unwanted content.[[>>]]%0a%3c %0a%3c @@$ curl -L -O https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts@@[[>>]]%0a%3c %0a%3c We need to reformat this hosts file:[[>>]]%0a%3c [@%0a%3c $ awk '!/^ *#/ && NF' hosts > newhosts # taken from stevenblack's list%0a%3c $ sed 's/0\.0\.0\.0 \([^#]*\).*$/local-zone: "\1" static/' newhosts > newhosts2%0a%3c $ sed 's/ "/"/' newhosts2 > newhosts3%0a%3c @][[>>]]%0a%3c Manually check for malformed entries, then put this into /var/unbound/etc/unbound.conf.[[>>]]%0a%3c %0a%3c %0a%3c %0a%3c %0a%3c Till now we have configured the pf ruleset, the forwarding features, the DNS resolver and we have the certificates, now we need to configure the IKED itself.%0a---%0a> %0a> Till now we have configured the pf ruleset, the forwarding features and we have the certificates, now we need to configure the IKED itself.%0a
061
2023-01-22
jrmu
host:1620873920=200.121.220.221
062
2023-01-22
jrmu
author:1620873456=st13g
063
2023-01-22
jrmu
diff:1620873456:1620873434:=80c80%0a%3c [+TROUBLESHOOTING+][[%3c%3c]]%0a---%0a> [+TROUBLESHOOTING+]%0a
064
2023-01-22
jrmu
host:1620873456=200.121.220.221
065
2023-01-22
jrmu
author:1620873434=st13g
066
2023-01-22
jrmu
diff:1620873434:1620872105:=32,83c32,73%0a%3c At this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. In the part %3cserver1.domain>, replace it with your own domain. From the command line just run:%0a%3c %0a%3c %0a%3c @@$doas ikectl ca vpn create[[%3c%3c]]@@%0a%3c @@$doas ikectl ca vpn install[[%3c%3c]]@@%0a%3c @@certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt[[%3c%3c]]@@%0a%3c @@CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl[[%3c%3c]]@@%0a%3c @@$doas ikectl ca vpn certificate server1.domain create[[%3c%3c]]@@%0a%3c @@$doas ikectl ca vpn certificate server1.domain install[[%3c%3c]]@@%0a%3c @@writing RSA key[[%3c%3c]]@@%0a%3c %0a%3c the file we need to export to the clients will be @@/etc/iked/ca/ca.crt@@ we can do that, using scp to copy the file from our server to our local computer or some other application in your phone, there is no need to install scp,scp use the same credentials that ssh use, you can run the following command[[%3c%3c]]%0a%3c %0a%3c @@$scp %3cuser>@%3cuser>.coconut.ircnow.org:/etc/iked/ca/ca.crt .@@%0a%3c %0a%3c %0a%3c Make sure to enable IP forwarding. you must be asking Why?, let me explain it, if you dont enable this kernel feature, your server will not act as a router,in other words, it cannot forward packages to their destination, your packages will be able to reach the server, but then they will be stuck there, without possibility to get out from there[[%3c%3c]]%0a%3c %0a%3c @@$echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf[[%3c%3c]]@@%0a%3c @@$echo 'net.inet6.ip6.forwarding=1' >> /etc/sysctl.conf[[%3c%3c]]@@%0a%3c @@$echo 'net.inet.ipcomp.enable=1' >> /etc/sysctl.conf [[%3c%3c]]@@ %0a%3c @@$echo 'net.inet.esp.enable=1' >> /etc/sysctl.conf[[%3c%3c]]@@%0a%3c @@$echo 'net.inet.ah.enable=1' >> /etc/sysctl.conf[[%3c%3c]]@@%0a%3c @@$sysctl net.inet.ip.forwarding=1[[%3c%3c]]@@%0a%3c @@$sysctl net.inet6.ip6.forwarding=1[[%3c%3c]]@@%0a%3c %0a%3c %0a%3c Till now we have configured the pf ruleset, the forwarding features and we have the certificates, now we need to configure the IKED itself.%0a%3c Add this to @@/etc/iked.conf@@ (replace 203.0.113.5 with your server's public IP address and vpn.ircnow.org, with your domain):[[%3c%3c]]%0a%3c %0a%3c %0a%3c @@user 'username' 'password'[[%3c%3c]]@@%0a%3c @@ ikev2 'vpn.ircnow.org' passive esp \[[%3c%3c]]@@%0a%3c @@ from 0.0.0.0/0 to 0.0.0.0/0 \[[%3c%3c]]@@%0a%3c @@ local 203.0.113.5 peer any \[[%3c%3c]]@@%0a%3c @@ srcid vpn.ircnow.org \[[%3c%3c]]@@%0a%3c @@ eap "mschap-v2" \[[%3c%3c]]@@%0a%3c @@ config address 10.0.5.0/24 \[[%3c%3c]]@@%0a%3c @@ config name-server 203.0.113.5 \[[%3c%3c]]@@%0a%3c @@ tag "ROADW"[[%3c%3c]]@@%0a%3c %0a%3c %0a%3c Now, all is ready to start our VPN iked,just run the following commands[[%3c%3c]]%0a%3c @@$ doas chmod 0600 /etc/iked.conf [[%3c%3c]]@@%0a%3c @@$ doas rcctl enable iked[[%3c%3c]]@@%0a%3c @@$ doas rcctl start iked[[%3c%3c]]@@%0a%3c %0a%3c %0a%3c [+TROUBLESHOOTING+]%0a%3c Maybe we couldnt get it running, so we need to start the service in debug mode, just ignore the prior commands and run the following line[[%3c%3c]]%0a%3c @@$doas iked -dvvv@@[[%3c%3c]]%0a%3c this will show all the info you need in order the fix the issue%0a\ No newline at end of file%0a---%0a> At this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. From the command line, run:%0a> %0a> %0a> $doas ikectl ca vpn create[[%3c%3c]]%0a> $doas ikectl ca vpn install[[%3c%3c]]%0a> certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt[[%3c%3c]]%0a> CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl[[%3c%3c]]%0a> $doas ikectl ca vpn certificate server1.domain create[[%3c%3c]]%0a> $doas ikectl ca vpn certificate server1.domain install[[%3c%3c]]%0a> writing RSA key[[%3c%3c]]%0a> %0a> the file we need to export will be /etc/iked/ca/ca.crt[[%3c%3c]]%0a> %0a> %0a> Make sure to enable IP forwarding[[%3c%3c]]%0a> %0a> $echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf[[%3c%3c]]%0a> $echo 'net.inet6.ip6.forwarding=1' >> /etc/sysctl.conf[[%3c%3c]]%0a> $echo 'net.inet.ipcomp.enable=1' >> /etc/sysctl.conf [[%3c%3c]] %0a> $echo 'net.inet.esp.enable=1' >> /etc/sysctl.conf[[%3c%3c]]%0a> $echo 'net.inet.ah.enable=1' >> /etc/sysctl.conf[[%3c%3c]]%0a> $sysctl net.inet.ip.forwarding=1[[%3c%3c]]%0a> $sysctl net.inet6.ip6.forwarding=1[[%3c%3c]]%0a> %0a> Add this to /etc/iked.conf (replace 203.0.113.5 with your server's public IP address and vpn.ircnow.org, with your domain):[[%3c%3c]]%0a> %0a> %0a> user 'username' 'password'[[%3c%3c]]%0a> ikev2 'vpn.ircnow.org' passive esp \[[%3c%3c]]%0a> from 0.0.0.0/0 to 0.0.0.0/0 \[[%3c%3c]]%0a> local 203.0.113.5 peer any \[[%3c%3c]]%0a> srcid vpn.ircnow.org \[[%3c%3c]]%0a> eap "mschap-v2" \[[%3c%3c]]%0a> config address 10.0.5.0/24 \[[%3c%3c]]%0a> config name-server 203.0.113.5 \[[%3c%3c]]%0a> tag "ROADW"[[%3c%3c]]%0a> %0a> %0a> To start iked,[[%3c%3c]]%0a> $ doas chmod 0600 /etc/iked.conf [[%3c%3c]]%0a> $ doas rcctl enable iked[[%3c%3c]]%0a> $ doas rcctl start iked[[%3c%3c]]%0a\ No newline at end of file%0a
067
2023-01-22
jrmu
host:1620873434=200.121.220.221
068
2023-01-22
jrmu
author:1620872105=st13g
069
2023-01-22
jrmu
diff:1620872105:1620871815:=18,30c18,29%0a%3c Add this to /etc/pf.conf and make sure that $ext_if match your output interface. If you dont know what is your $ext_if, just issue the following command in your terminal @@$coconut ifconfig@@ and you'll see the interfaces, your $ext_if is the one who has an public IP address, for example it could be vio0.[[%3c%3c]][[%3c%3c]]%0a%3c add the following lines to the file%0a%3c @@/etc/pf.conf@@ %0a%3c %0a%3c @@pass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED[[%3c%3c]]@@%0a%3c @@pass in inet proto esp tag IKED[[%3c%3c]]@@%0a%3c @@pass on enc0 inet tagged ROADW[[%3c%3c]]@@%0a%3c @@match out on $ext_if inet tagged ROADW nat-to $ext_if[[%3c%3c]]@@%0a%3c @@match in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53[[%3c%3c]]@@%0a%3c %0a%3c Then in order to update the ruleset or apply the changes, we need to reload pf, we could do that with the following line:%0a%3c %0a%3c @@$ doas pfctl -f /etc/pf.conf [[%3c%3c]]@@%0a---%0a> Add this to /etc/pf.conf and make sure that $ext_if match your output interface. If you dont know what is your $ext_if, just issue the following command in your terminal @@$coconut ifconfig@@ and you'll see the interfaces, your $ext_if is the one who has an public IP address, for example it could be vio0.[[%3c%3c]]%0a> @@/etc/pf.conf@@ add this lines to the file%0a> @@%0a> pass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED[[%3c%3c]]%0a> pass in inet proto esp tag IKED[[%3c%3c]]%0a> pass on enc0 inet tagged ROADW[[%3c%3c]]%0a> match out on $ext_if inet tagged ROADW nat-to $ext_if[[%3c%3c]]%0a> match in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53[[%3c%3c]]%0a> @@%0a> To reload the new pf ruleset:%0a> %0a> $ doas pfctl -f /etc/pf.conf [[%3c%3c]]%0a
070
2023-01-22
jrmu
host:1620872105=200.121.220.221
071
2023-01-22
jrmu
author:1620871815=st13g
072
2023-01-22
jrmu
diff:1620871815:1620871303:=15,20c15,20%0a%3c [+SETTING UP IKED - (SERVER-SIDE)+]%0a%3c %0a%3c First we need to add some rules to our pf filters in order to allow IKED, isakmp, ipsec packages pass.%0a%3c Add this to /etc/pf.conf and make sure that $ext_if match your output interface. If you dont know what is your $ext_if, just issue the following command in your terminal @@$coconut ifconfig@@ and you'll see the interfaces, your $ext_if is the one who has an public IP address, for example it could be vio0.[[%3c%3c]]%0a%3c @@/etc/pf.conf@@ add this lines to the file%0a%3c @@%0a---%0a> [+SETTING UP VPN SERVER IKED+]%0a> %0a> %0a> %0a> Add this to /etc/pf.conf and make sure that $ext_if match your output interface%0a> %0a26c26%0a%3c @@%0a---%0a> %0a
073
2023-01-22
jrmu
host:1620871815=200.121.220.221
074
2023-01-22
jrmu
author:1620871303=st13g
075
2023-01-22
jrmu
diff:1620871303:1620870974:=1,4c1,4%0a%3c [+IKED+]%0a%3c %0a%3c OpenIKED is a free implementation of IKEv2 protocol which enable us to create VPNs in openBSD. OpenIKED is developed as part of the OpenBSD Project in that way comes with the OS, there is no need to install it.%0a%3c %0a---%0a> IKED%0a> %0a> OpenIKED is a free implementation of IKEv2 protocol which enable us to create a VPNs in openBSD. OpenIKED is developed as part of the OpenBSD Project in that way comes with the OS, there is no need to install it.%0a> %0a7,16c7,14%0a%3c * Lean%0a%3c * Clean%0a%3c * Secure%0a%3c * Interoperable%0a%3c * Configurable%0a%3c %0a%3c Now, we'll set up the VPN, both on the server-side and on the client-side%0a%3c %0a%3c [+SETTING UP VPN SERVER IKED+]%0a%3c %0a---%0a> # Lean%0a> # Clean%0a> # Secure%0a> # Interoperable%0a> # Configurable%0a> %0a> %0a> SETTING UP VPN SERVER IKED%0a
076
2023-01-22
jrmu
host:1620871303=200.121.220.221
077
2023-01-22
jrmu
author:1620870974=st13g
078
2023-01-22
jrmu
diff:1620870974:1618777673:=1,13d0%0a%3c IKED%0a%3c %0a%3c OpenIKED is a free implementation of IKEv2 protocol which enable us to create a VPNs in openBSD. OpenIKED is developed as part of the OpenBSD Project in that way comes with the OS, there is no need to install it.%0a%3c %0a%3c OpenIKED focuses mainly:%0a%3c %0a%3c # Lean%0a%3c # Clean%0a%3c # Secure%0a%3c # Interoperable%0a%3c # Configurable%0a%3c %0a%3c %0a
079
2023-01-22
jrmu
host:1620870974=200.121.220.221
080
2023-01-22
jrmu
author:1618777673=st13g
081
2023-01-22
jrmu
diff:1618777673:1618777639:=
082
2023-01-22
jrmu
host:1618777673=190.42.16.42
083
2023-01-22
jrmu
author:1618777639=st13g
084
2023-01-22
jrmu
diff:1618777639:1618777559:=6,11c6,11%0a%3c pass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED[[%3c%3c]]%0a%3c pass in inet proto esp tag IKED[[%3c%3c]]%0a%3c pass on enc0 inet tagged ROADW[[%3c%3c]]%0a%3c match out on $ext_if inet tagged ROADW nat-to $ext_if[[%3c%3c]]%0a%3c match in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53[[%3c%3c]]%0a%3c %0a---%0a> pass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED%0a> pass in inet proto esp tag IKED%0a> pass on enc0 inet tagged ROADW%0a> match out on $ext_if inet tagged ROADW nat-to $ext_if%0a> match in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53%0a> %0a14,15c14,15%0a%3c $ doas pfctl -f /etc/pf.conf [[%3c%3c]]%0a%3c %0a---%0a> $ doas pfctl -f /etc/pf.conf %0a> %0a19,31c19,31%0a%3c $doas ikectl ca vpn create[[%3c%3c]]%0a%3c $doas ikectl ca vpn install[[%3c%3c]]%0a%3c certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt[[%3c%3c]]%0a%3c CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl[[%3c%3c]]%0a%3c $doas ikectl ca vpn certificate server1.domain create[[%3c%3c]]%0a%3c $doas ikectl ca vpn certificate server1.domain install[[%3c%3c]]%0a%3c writing RSA key[[%3c%3c]]%0a%3c %0a%3c the file we need to export will be /etc/iked/ca/ca.crt[[%3c%3c]]%0a%3c %0a%3c %0a%3c Make sure to enable IP forwarding[[%3c%3c]]%0a%3c %0a---%0a> # ikectl ca vpn create%0a> # ikectl ca vpn install%0a> certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt%0a> CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl%0a> # ikectl ca vpn certificate server1.domain create%0a> # ikectl ca vpn certificate server1.domain install%0a> writing RSA key%0a> %0a> the file we need to export will be /etc/iked/ca/ca.crt%0a> %0a> %0a> Make sure to enable IP forwarding%0a> %0a40,42c40,42%0a%3c Add this to /etc/iked.conf (replace 203.0.113.5 with your server's public IP address and vpn.ircnow.org, with your domain):[[%3c%3c]]%0a%3c %0a%3c %0a---%0a> Add this to /etc/iked.conf (replace 203.0.113.5 with your server's public IP address and vpn.ircnow.org, with your domain):%0a> %0a> %0a54,57c54,57%0a%3c To start iked,[[%3c%3c]]%0a%3c $ doas chmod 0600 /etc/iked.conf [[%3c%3c]]%0a%3c $ doas rcctl enable iked[[%3c%3c]]%0a%3c $ doas rcctl start iked[[%3c%3c]]%0a\ No newline at end of file%0a---%0a> To start iked,%0a> $ doas chmod 0600 /etc/iked.conf %0a> $ doas rcctl enable iked%0a> $ doas rcctl start iked%0a\ No newline at end of file%0a
085
2023-01-22
jrmu
host:1618777639=190.42.16.42
086
2023-01-22
jrmu
author:1618777559=st13g
087
2023-01-22
jrmu
diff:1618777559:1618777242:=26,29c26,29%0a%3c %0a%3c the file we need to export will be /etc/iked/ca/ca.crt%0a%3c %0a%3c %0a---%0a> # cp /etc/iked/ca/ca.crt /var/www/htdocs/%0a> %0a> %0a> %0a32,39c32,39%0a%3c $echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf[[%3c%3c]]%0a%3c $echo 'net.inet6.ip6.forwarding=1' >> /etc/sysctl.conf[[%3c%3c]]%0a%3c $echo 'net.inet.ipcomp.enable=1' >> /etc/sysctl.conf [[%3c%3c]] %0a%3c $echo 'net.inet.esp.enable=1' >> /etc/sysctl.conf[[%3c%3c]]%0a%3c $echo 'net.inet.ah.enable=1' >> /etc/sysctl.conf[[%3c%3c]]%0a%3c $sysctl net.inet.ip.forwarding=1[[%3c%3c]]%0a%3c $sysctl net.inet6.ip6.forwarding=1[[%3c%3c]]%0a%3c %0a---%0a> $echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf%0a> $echo 'net.inet6.ip6.forwarding=1' >> /etc/sysctl.conf%0a> $echo 'net.inet.ipcomp.enable=1' >> /etc/sysctl.conf %0a> $echo 'net.inet.esp.enable=1' >> /etc/sysctl.conf%0a> $echo 'net.inet.ah.enable=1' >> /etc/sysctl.conf%0a> $sysctl net.inet.ip.forwarding=1%0a> $sysctl net.inet6.ip6.forwarding=1%0a> %0a43,51c43,51%0a%3c user 'username' 'password'[[%3c%3c]]%0a%3c ikev2 'vpn.ircnow.org' passive esp \[[%3c%3c]]%0a%3c from 0.0.0.0/0 to 0.0.0.0/0 \[[%3c%3c]]%0a%3c local 203.0.113.5 peer any \[[%3c%3c]]%0a%3c srcid vpn.ircnow.org \[[%3c%3c]]%0a%3c eap "mschap-v2" \[[%3c%3c]]%0a%3c config address 10.0.5.0/24 \[[%3c%3c]]%0a%3c config name-server 203.0.113.5 \[[%3c%3c]]%0a%3c tag "ROADW"[[%3c%3c]]%0a---%0a> user 'username' 'password'%0a> ikev2 'vpn.ircnow.org' passive esp \%0a> from 0.0.0.0/0 to 0.0.0.0/0 \%0a> local 203.0.113.5 peer any \%0a> srcid vpn.ircnow.org \%0a> eap "mschap-v2" \%0a> config address 10.0.5.0/24 \%0a> config name-server 203.0.113.5 \%0a> tag "ROADW"%0a
088
2023-01-22
jrmu
host:1618777559=190.42.16.42
089
2023-01-22
jrmu
author:1618777242=st13g
090
2023-01-22
jrmu
diff:1618777242:1618777176:=32,39c32,39%0a%3c $echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf%0a%3c $echo 'net.inet6.ip6.forwarding=1' >> /etc/sysctl.conf%0a%3c $echo 'net.inet.ipcomp.enable=1' >> /etc/sysctl.conf %0a%3c $echo 'net.inet.esp.enable=1' >> /etc/sysctl.conf%0a%3c $echo 'net.inet.ah.enable=1' >> /etc/sysctl.conf%0a%3c $sysctl net.inet.ip.forwarding=1%0a%3c $sysctl net.inet6.ip6.forwarding=1%0a%3c %0a---%0a> echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf%0a> echo 'net.inet6.ip6.forwarding=1' >> /etc/sysctl.conf%0a> echo 'net.inet.ipcomp.enable=1' >> /etc/sysctl.conf %0a> echo 'net.inet.esp.enable=1' >> /etc/sysctl.conf%0a> echo 'net.inet.ah.enable=1' >> /etc/sysctl.conf%0a> sysctl net.inet.ip.forwarding=1%0a> sysctl net.inet6.ip6.forwarding=1%0a> %0a42d41%0a%3c %0a52d50%0a%3c %0a
091
2023-01-22
jrmu
host:1618777242=190.42.16.42
092
2023-01-22
jrmu
author:1618777176=st13g
093
2023-01-22
jrmu
diff:1618777176:1618776709:=3,5c3,16%0a%3c %0a%3c Add this to /etc/pf.conf and make sure that $ext_if match your output interface%0a%3c %0a---%0a> Add this to /etc/iked.conf (replace 203.0.113.5 with your server's public IP address):%0a> %0a> user 'username' 'password'%0a> ikev2 'vpn.ircnow.org' passive esp \%0a> from 0.0.0.0/0 to 0.0.0.0/0 \%0a> local 203.0.113.5 peer any \%0a> srcid vpn.ircnow.org \%0a> eap "mschap-v2" \%0a> config address 10.0.5.0/24 \%0a> config name-server 203.0.113.5 \%0a> tag "ROADW"%0a> %0a> Add this to /etc/pf.conf:%0a> %0a28,51c39,46%0a%3c %0a%3c %0a%3c Make sure to enable IP forwarding%0a%3c %0a%3c echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf%0a%3c echo 'net.inet6.ip6.forwarding=1' >> /etc/sysctl.conf%0a%3c echo 'net.inet.ipcomp.enable=1' >> /etc/sysctl.conf %0a%3c echo 'net.inet.esp.enable=1' >> /etc/sysctl.conf%0a%3c echo 'net.inet.ah.enable=1' >> /etc/sysctl.conf%0a%3c sysctl net.inet.ip.forwarding=1%0a%3c sysctl net.inet6.ip6.forwarding=1%0a%3c %0a%3c Add this to /etc/iked.conf (replace 203.0.113.5 with your server's public IP address and vpn.ircnow.org, with your domain):%0a%3c %0a%3c user 'username' 'password'%0a%3c ikev2 'vpn.ircnow.org' passive esp \%0a%3c from 0.0.0.0/0 to 0.0.0.0/0 \%0a%3c local 203.0.113.5 peer any \%0a%3c srcid vpn.ircnow.org \%0a%3c eap "mschap-v2" \%0a%3c config address 10.0.5.0/24 \%0a%3c config name-server 203.0.113.5 \%0a%3c tag "ROADW"%0a%3c %0a---%0a> Does this need to be added to /etc/sysctl.conf:%0a> %0a> %0a> net.inet.ip.forwarding=1%0a> net.inet.ipcomp.enable=1%0a> net.inet.esp.enable=1%0a> net.inet.ah.enable=1%0a> %0a53c48%0a%3c $ doas chmod 0600 /etc/iked.conf %0a---%0a> %0a54a50%0a> $ doas rcctl set iked flags -6%0a
094
2023-01-22
jrmu
host:1618777176=190.42.16.42
095
2023-01-22
jrmu
author:1618776709=st13g
096
2023-01-22
jrmu
diff:1618776709:1615258936:=1,51c1,25%0a%3c SETTING UP VPN SERVER IKED%0a%3c %0a%3c Add this to /etc/iked.conf (replace 203.0.113.5 with your server's public IP address):%0a%3c %0a%3c user 'username' 'password'%0a%3c ikev2 'vpn.ircnow.org' passive esp \%0a%3c from 0.0.0.0/0 to 0.0.0.0/0 \%0a%3c local 203.0.113.5 peer any \%0a%3c srcid vpn.ircnow.org \%0a%3c eap "mschap-v2" \%0a%3c config address 10.0.5.0/24 \%0a%3c config name-server 203.0.113.5 \%0a%3c tag "ROADW"%0a%3c %0a%3c Add this to /etc/pf.conf:%0a%3c %0a%3c pass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED%0a%3c pass in inet proto esp tag IKED%0a%3c pass on enc0 inet tagged ROADW%0a%3c match out on $ext_if inet tagged ROADW nat-to $ext_if%0a%3c match in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53%0a%3c %0a%3c To reload the new pf ruleset:%0a%3c %0a%3c $ doas pfctl -f /etc/pf.conf %0a%3c %0a%3c At this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. From the command line, run:%0a%3c %0a%3c %0a%3c # ikectl ca vpn create%0a%3c # ikectl ca vpn install%0a%3c certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt%0a%3c CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl%0a%3c # ikectl ca vpn certificate server1.domain create%0a%3c # ikectl ca vpn certificate server1.domain install%0a%3c writing RSA key%0a%3c # cp /etc/iked/ca/ca.crt /var/www/htdocs/%0a%3c %0a%3c Does this need to be added to /etc/sysctl.conf:%0a%3c %0a%3c %0a%3c net.inet.ip.forwarding=1%0a%3c net.inet.ipcomp.enable=1%0a%3c net.inet.esp.enable=1%0a%3c net.inet.ah.enable=1%0a%3c %0a%3c To start iked,%0a%3c %0a%3c $ doas rcctl enable iked%0a%3c $ doas rcctl set iked flags -6%0a%3c $ doas rcctl start iked%0a\ No newline at end of file%0a---%0a> WINDOWS IKED CLIENT CONFIGURATION%0a> %0a> Lauch your Windows Management Console%0a> %0a> Then, in "File" Menu, select "Add or Remove Snap-in", and selesct "Certificates"%0a> %0a> Click "Add"%0a> %0a> Select "Computer Account", next, then select "Local Computer" options, finally click "Finish"%0a> %0a> In the Windows Management Console, under Console Root tree, select Certificates and expand Trusted Root Certification Authorities, and select Certificates%0a> %0a> Now in Action Menu, in the console, select "All Tasks" and click "import", you need to browse, and select your certificate,then click "Next"%0a> %0a> In the dialog box, ensure that Trusted Root Certification Authorities is selected, then "Next" and "Finish"%0a> %0a> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>%0a> %0a> Now open your control panel, select Network and Sharing Center%0a> %0a> click on "Set up a new connection or network" , click on "Connect to a Workplace", then "Use my Internet connection (VPN)"%0a> %0a> in the dialog box, fill the domain name of your VPN, or the ip , in the field "Destination Name" put some description, then click "done"%0a> %0a> Finally in your task bar, inthe icon of your connections, click on it,it should appear the name of your VPN, select it, and click on "connect" , after some seconds, a dialog box should appear, enter your username and password, and now you are finally connected to your VPN.%0a\ No newline at end of file%0a
097
2023-01-22
jrmu
host:1618776709=190.42.16.42
098
2023-01-22
jrmu
author:1615258936=st13g
099
2023-01-22
jrmu
diff:1615258936:1615256737:=3,25c3%0a%3c Lauch your Windows Management Console%0a%3c %0a%3c Then, in "File" Menu, select "Add or Remove Snap-in", and selesct "Certificates"%0a%3c %0a%3c Click "Add"%0a%3c %0a%3c Select "Computer Account", next, then select "Local Computer" options, finally click "Finish"%0a%3c %0a%3c In the Windows Management Console, under Console Root tree, select Certificates and expand Trusted Root Certification Authorities, and select Certificates%0a%3c %0a%3c Now in Action Menu, in the console, select "All Tasks" and click "import", you need to browse, and select your certificate,then click "Next"%0a%3c %0a%3c In the dialog box, ensure that Trusted Root Certification Authorities is selected, then "Next" and "Finish"%0a%3c %0a%3c >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>%0a%3c %0a%3c Now open your control panel, select Network and Sharing Center%0a%3c %0a%3c click on "Set up a new connection or network" , click on "Connect to a Workplace", then "Use my Internet connection (VPN)"%0a%3c %0a%3c in the dialog box, fill the domain name of your VPN, or the ip , in the field "Destination Name" put some description, then click "done"%0a%3c %0a%3c Finally in your task bar, inthe icon of your connections, click on it,it should appear the name of your VPN, select it, and click on "connect" , after some seconds, a dialog box should appear, enter your username and password, and now you are finally connected to your VPN.%0a\ No newline at end of file%0a---%0a> Lauch your Windows Management Console%0a\ No newline at end of file%0a
100
2023-01-22
jrmu
host:1615258936=190.42.16.35
101
2023-01-22
jrmu
author:1615256737=st13g
102
2023-01-22
jrmu
diff:1615256737:1615256737:=1,3d0%0a%3c WINDOWS IKED CLIENT CONFIGURATION%0a%3c %0a%3c Lauch your Windows Management Console%0a\ No newline at end of file%0a
103
2023-01-22
jrmu
host:1615256737=190.42.16.35
IRCNow