Blame
Date:
Mon Jan 23 05:00:25 2023 UTC
Message:
Daily backup
01
2023-01-22
jrmu
version=pmwiki-2.2.130 ordered=1 urlencoded=1
02
2023-01-22
jrmu
agent=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
03
2023-01-22
jrmu
author=gloNO
04
2023-01-22
jrmu
charset=UTF-8
05
2023-01-22
jrmu
csum=
06
2023-01-22
jrmu
ctime=1635924188
07
2023-01-22
jrmu
host=176.103.75.121
08
2023-01-22
jrmu
name=Vpn.OpenIKED
09
2023-01-22
jrmu
rev=13
10
2023-01-22
jrmu
targets=
11
2023-01-22
jrmu
text=!! Server configuration%0a%0a[[#iked.conf]]%0a!!! iked.conf%0a%0aAdd this to /etc/iked.conf (replace '''vpn_user_name''' and '''vpn_user_password''' with the username and password you will use to connect, and replace '''203.0.113.5''' with your server's public IP address and '''vpn.ircnow.org''' with vpn.your.domain, i.e.: vpn.user.host.ircnow.org):%0a%0a[@%0adoas vi /etc/iked.conf%0a@]%0a----%0a%0a%0a[@%0avpn_user_name = "vpn-user" %0avpn_user_password = "vpn-password"%0a%0aremote_gw = "203.0.113.5" %0avpn_id = "vpn.ircnow.org" %0aclient_pool = "10.0.5.0/24" %0aclient_dns = "203.0.113.5" %0a%0auser $vpn_user_name $vpn_user_password%0aikev2 'user_vpn' passive esp \%0a from any to dynamic \%0a local $remote_gw peer any \%0a srcid $vpn_id \%0a eap "mschap-v2" \%0a config address $client_pool \%0a config name-server $client_dns \%0a tag "ROADW"%0a@]%0a%0aThe value for the vpn_id macro parameter MUST be different from your IRCnow hostname. For example, if your IRCNow hostname is "user.host.ircnow.org", you should pick something like "vpn.user.host.ircnow.org". Whatever you pick should be a valid hostname that resolves to an IP address. The 'from' rule allows any user to connect. The name-server provides the name-server that vpn clients will use. So in this example, you must have a valid caching name server running on IP 203.0.113.5. Note that these packets will get tagged as ROADW.%0a%0a!!! pf.conf%0a%0aiked depends upon packet filter being enabled. First, you must make sure to enable packet filter if it is off:%0a%0a[@%0adoas pfctl -e%0a@]%0a%0aAdd this to /etc/pf.conf:%0a%0a%0a[@%0adoas vi /etc/pf.conf%0a@]%0a----%0a%0a%0a[@%0apass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED%0apass in inet proto esp tag IKED%0apass on enc0 inet tagged ROADW%0amatch out on $ext_if inet tagged ROADW nat-to ext_if%0amatch in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53%0a@]%0a%0awhere '''ext_if''' is your external interface.%0a%0aTo find your external interface, type:%0a[@%0aifconfig%0a@]%0a%0aThe external interface is the one with the public IP address. If OpenBSD is run on a virtual machine, the external interface is probably vio0.%0a%0aTo reload the new pf ruleset:%0a[@%0adoas pfctl -f /etc/pf.conf %0a@]%0a%0a%0a!!! Certificates%0a%0aAt this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. From the command line, run:%0a%0a[@%0a# ikectl ca vpn create%0a# ikectl ca vpn install%0a@]%0a%0a''certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt''\\%0a''CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl''%0a%0a[@%0a# ikectl ca vpn certificate vpn.user.host.ircnow.org create%0a# ikectl ca vpn certificate vpn.user.host.ircnow.org install%0a@]%0a%0a''writing RSA key''%0a%0aReplace '''vpn.user.host.ircnow.org''' with the hostname you picked for the value of '''vpn_id''' in [[#iked.conf | iked.conf]].%0a%0a!! Client configuration%0a
12
2023-01-22
jrmu
time=1636299929
13
2023-01-22
jrmu
author:1636299929=gloNO
14
2023-01-22
jrmu
diff:1636299929:1636299820:=84,85c84,85%0a%3c %0a%3c ''certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt''\\%0a---%0a> ''certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt''%0a> %0a92d91%0a%3c %0a
15
2023-01-22
jrmu
host:1636299929=176.103.75.121
16
2023-01-22
jrmu
author:1636299820=gloNO
17
2023-01-22
jrmu
diff:1636299820:1636299642:=3c3%0a%3c [[#iked.conf]]%0a---%0a> %0a94c94%0a%3c Replace '''vpn.user.host.ircnow.org''' with the hostname you picked for the value of '''vpn_id''' in [[#iked.conf | iked.conf]].%0a---%0a> Replace '''vpn.user.host.ircnow.org''' with the hostname you picked for the value of '''vpn_id''' in iked.conf.%0a
18
2023-01-22
jrmu
host:1636299820=176.103.75.121
19
2023-01-22
jrmu
author:1636299642=gloNO
20
2023-01-22
jrmu
diff:1636299642:1636299312:=65c65%0a%3c ifconfig%0a---%0a> $ ifconfig%0a74,94d73%0a%3c %0a%3c %0a%3c !!! Certificates%0a%3c %0a%3c At this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. From the command line, run:%0a%3c %0a%3c [@%0a%3c # ikectl ca vpn create%0a%3c # ikectl ca vpn install%0a%3c @]%0a%3c ''certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt''%0a%3c %0a%3c ''CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl''%0a%3c %0a%3c [@%0a%3c # ikectl ca vpn certificate vpn.user.host.ircnow.org create%0a%3c # ikectl ca vpn certificate vpn.user.host.ircnow.org install%0a%3c @]%0a%3c ''writing RSA key''%0a%3c %0a%3c Replace '''vpn.user.host.ircnow.org''' with the hostname you picked for the value of '''vpn_id''' in iked.conf.%0a
21
2023-01-22
jrmu
host:1636299642=176.103.75.121
22
2023-01-22
jrmu
author:1636299312=gloNO
23
2023-01-22
jrmu
diff:1636299312:1636299282:=70a71%0a> %0a
24
2023-01-22
jrmu
host:1636299312=176.103.75.121
25
2023-01-22
jrmu
author:1636299282=gloNO
26
2023-01-22
jrmu
diff:1636299282:1636299216:=64c64%0a%3c [@%0a---%0a> %0a66,67d65%0a%3c @]%0a%3c %0a72,75c70%0a%3c [@%0a%3c doas pfctl -f /etc/pf.conf %0a%3c @]%0a%3c %0a---%0a> $ doas pfctl -f /etc/pf.conf %0a
27
2023-01-22
jrmu
host:1636299282=176.103.75.121
28
2023-01-22
jrmu
author:1636299216=gloNO
29
2023-01-22
jrmu
diff:1636299216:1636283832:=10a11%0a> %0a44,46d44%0a%3c Add this to /etc/pf.conf:%0a%3c %0a%3c %0a49a48%0a> %0a53,70d51%0a%3c [@%0a%3c pass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED%0a%3c pass in inet proto esp tag IKED%0a%3c pass on enc0 inet tagged ROADW%0a%3c match out on $ext_if inet tagged ROADW nat-to ext_if%0a%3c match in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53%0a%3c @]%0a%3c %0a%3c where '''ext_if''' is your external interface.%0a%3c %0a%3c To find your external interface, type:%0a%3c %0a%3c $ ifconfig%0a%3c The external interface is the one with the public IP address. If OpenBSD is run on a virtual machine, the external interface is probably vio0.%0a%3c %0a%3c To reload the new pf ruleset:%0a%3c %0a%3c $ doas pfctl -f /etc/pf.conf %0a
30
2023-01-22
jrmu
host:1636299216=176.103.75.121
31
2023-01-22
jrmu
author:1636283832=gloNO
32
2023-01-22
jrmu
diff:1636283832:1635959010:=9,15d8%0a%3c doas vi /etc/iked.conf%0a%3c @]%0a%3c %0a%3c ----%0a%3c %0a%3c %0a%3c [@%0a36,50d28%0a%3c %0a%3c !!! pf.conf%0a%3c %0a%3c iked depends upon packet filter being enabled. First, you must make sure to enable packet filter if it is off:%0a%3c %0a%3c [@%0a%3c doas pfctl -e%0a%3c @]%0a%3c %0a%3c [@%0a%3c doas vi /etc/pf.conf%0a%3c @]%0a%3c %0a%3c ----%0a%3c %0a
33
2023-01-22
jrmu
host:1636283832=176.103.75.121
34
2023-01-22
jrmu
author:1635959010=gloNO
35
2023-01-22
jrmu
diff:1635959010:1635958871:=
36
2023-01-22
jrmu
host:1635959010=31.0.25.119
37
2023-01-22
jrmu
author:1635958871=gloNO
38
2023-01-22
jrmu
diff:1635958871:1635958412:=6,7c6,7%0a%3c Add this to /etc/iked.conf (replace '''vpn_user_name''' and '''vpn_user_password''' with the username and password you will use to connect, and replace '''203.0.113.5''' with your server's public IP address and '''vpn.ircnow.org''' with vpn.your.domain, i.e.: vpn.user.host.ircnow.org):%0a%3c %0a---%0a> Add this to /etc/iked.conf (replace '''vpn_user_name''' and '''vpn_user_password''' with the username and password you will use to connect, and replace 203.0.113.5 with your server's public IP address and vpn.ircnow.org with vpn.your.domain, i.e.: vpn.user.host.ircnow.org):%0a> %0a9,11d8%0a%3c vpn_user_name = "vpn-user" %0a%3c vpn_user_password = "vpn-password"%0a%3c %0a16c13,15%0a%3c %0a---%0a> vpn_user_name = "vpn-user" %0a> vpn_user_password = "vpn-password"%0a> %0a27,28d25%0a%3c %0a%3c The value for the vpn_id macro parameter MUST be different from your IRCnow hostname. For example, if your IRCNow hostname is "user.host.ircnow.org", you should pick something like "vpn.user.host.ircnow.org". Whatever you pick should be a valid hostname that resolves to an IP address. The 'from' rule allows any user to connect. The name-server provides the name-server that vpn clients will use. So in this example, you must have a valid caching name server running on IP 203.0.113.5. Note that these packets will get tagged as ROADW.%0a
39
2023-01-22
jrmu
host:1635958871=31.0.25.119
40
2023-01-22
jrmu
author:1635958412=gloNO
41
2023-01-22
jrmu
diff:1635958412:1635957754:=6,7c6,7%0a%3c Add this to /etc/iked.conf (replace '''vpn_user_name''' and '''vpn_user_password''' with the username and password you will use to connect, and replace 203.0.113.5 with your server's public IP address and vpn.ircnow.org with vpn.your.domain, i.e.: vpn.user.host.ircnow.org):%0a%3c %0a---%0a> Add this to /etc/iked.conf (replace USERNAME_HERE and PASSWORD_HERE with the username and password you will use to connect, and replace 203.0.113.5 with your server's public IP address and vpn.ircnow.org with vpn.your.domain, i.e.: vpn.user.host.ircnow.org):%0a> %0a13,16c13,16%0a%3c vpn_user_name = "vpn-user" %0a%3c vpn_user_password = "vpn-password"%0a%3c %0a%3c user $vpn_user_name $vpn_user_password%0a---%0a> vpn_user_name_1 = "vpn-user" %0a> vpn_user_password_1 = "vpn-password"%0a> %0a> user $vpn_user_name_1 $vpn_user_password_1%0a
42
2023-01-22
jrmu
host:1635958412=31.0.25.119
43
2023-01-22
jrmu
author:1635957754=gloNO
44
2023-01-22
jrmu
diff:1635957754:1635957480:=8,16c8,15%0a%3c [@%0a%3c remote_gw = "203.0.113.5" %0a%3c vpn_id = "vpn.ircnow.org" %0a%3c client_pool = "10.0.5.0/24" %0a%3c client_dns = "203.0.113.5" %0a%3c vpn_user_name_1 = "vpn-user" %0a%3c vpn_user_password_1 = "vpn-password"%0a%3c %0a%3c user $vpn_user_name_1 $vpn_user_password_1%0a---%0a> remote_gw = "203.0.113.5"%0a> vpn_id = "vpn.ircnow.org"%0a> client_pool = "10.0.5.0/24"%0a> client_dns = "203.0.113.5"%0a> user_name_1 = "vpn-user"%0a> user_password_1 "vpn-password"%0a> %0a> user $user_name_1 $user_password_1%0a25c24%0a%3c @]%0a---%0a> %0a
45
2023-01-22
jrmu
host:1635957754=31.0.25.119
46
2023-01-22
jrmu
author:1635957480=gloNO
47
2023-01-22
jrmu
diff:1635957480:1635924188:=0a1%0a> %0a2,24d2%0a%3c %0a%3c %0a%3c !!! iked.conf%0a%3c %0a%3c Add this to /etc/iked.conf (replace USERNAME_HERE and PASSWORD_HERE with the username and password you will use to connect, and replace 203.0.113.5 with your server's public IP address and vpn.ircnow.org with vpn.your.domain, i.e.: vpn.user.host.ircnow.org):%0a%3c %0a%3c remote_gw = "203.0.113.5"%0a%3c vpn_id = "vpn.ircnow.org"%0a%3c client_pool = "10.0.5.0/24"%0a%3c client_dns = "203.0.113.5"%0a%3c user_name_1 = "vpn-user"%0a%3c user_password_1 "vpn-password"%0a%3c %0a%3c user $user_name_1 $user_password_1%0a%3c ikev2 'user_vpn' passive esp \%0a%3c from any to dynamic \%0a%3c local $remote_gw peer any \%0a%3c srcid $vpn_id \%0a%3c eap "mschap-v2" \%0a%3c config address $client_pool \%0a%3c config name-server $client_dns \%0a%3c tag "ROADW"%0a%3c %0a
48
2023-01-22
jrmu
host:1635957480=31.0.25.119
49
2023-01-22
jrmu
author:1635924188=gloNO
50
2023-01-22
jrmu
diff:1635924188:1635924188:=1,4d0%0a%3c %0a%3c !! Server configuration%0a%3c %0a%3c !! Client configuration%0a
51
2023-01-22
jrmu
host:1635924188=80.51.171.233
IRCNow