version=pmwiki-2.2.130 ordered=1 urlencoded=1 agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 author=tool charset=UTF-8 csum= ctime=1635090504 host=108.56.144.48 name=Iked.Newconfig rev=2 targets=IP.Myaddress,Openhttpd.Configure text=(:title Configuring OpenIKED:)%0a%0aOpenIKED is OpenBSD's native VPN solution. It is included with the base system,%0aso no installation will be necessary. It allows us to use IPSec to provide%0ausers with a VPN for security, privacy, and freedom of information.%0a%0aPros:%0a%0a* Clean%0a* Secure%0a* Interoperable%0a* Simple to Configure%0a%0aThis configuration is for a road warrior setup, where a user wants to connect his device to a network (rather than connecting two networks).%0a%0a!! Configure iked.conf%0a%0aAdd this to /etc/iked.conf (replace USERNAME_HERE and PASSWORD_HERE with the username and password you will use to connect, and replace 203.0.113.5 with your server's public IP address and vpn.ircnow.org with vpn.your.domain, i.e.: vpn.user.host.ircnow.org):%0a%0a[@%0aremote_gw = "203.0.113.5"%0avpn_id = "vpn.ircnow.org"%0aclient_pool = "10.0.5.0/24"%0aclient_dns = "203.0.113.5"%0a%0auser "USERNAME_HERE" "PASSWORD_HERE"%0aikev2 'user_vpn' passive esp \%0a from any to dynamic \%0a local $remote_gw peer any \%0a srcid $vpn_id \%0a eap "mschap-v2" \%0a config address $client_pool \%0a config name-server $client_dns \%0a tag "ROADW"%0a@]%0a%0aThe value for the vpn_id macro parameter MUST be different from your IRCnow hostname. For example, if your IRCNow hostname is "user.host.ircnow.org", you should pick something like "vpn.user.host.ircnow.org". Whatever you pick should be a valid hostname that resolves to an IP address. The 'from' rule allows any user to connect. The name-server provides the name-server that vpn clients will use. So in this example, you must have a valid caching name server running on IP 203.0.113.5. Note that these packets will get tagged as ROADW.%0a%0aiked depends upon packet filter being enabled. First, you must make sure to enable%0apacket filter if it is off:%0a%0a[@%0a$ doas pfctl -e%0a@]%0a%0aAdd this to /etc/pf.conf:%0a%0a[@%0apass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED%0apass in inet proto esp tag IKED%0apass on enc0 inet tagged ROADW%0amatch out on $ext_if inet tagged ROADW nat-to $ext_if%0amatch in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53%0a@]%0a%0awhere ext_if is [[IP/Myaddress|your external interface]].%0a%0aTo find your external interface, type:%0a%0a[@%0a$ ifconfig%0a@]%0a%0aThe external interface is the one with the public IP address. If OpenBSD is run on a virtual machine, the external interface is probably vio0.%0a%0aTo reload the new pf ruleset:%0a%0a[@%0a$ doas pfctl -f /etc/pf.conf %0a@]%0a%0aAt this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. From the command line, run:%0a%0a[@%0a# ikectl ca vpn create%0a# ikectl ca vpn install%0acertificate for CA 'vpn' installed into /etc/iked/ca/ca.crt%0aCRL for CA 'vpn' installed to /etc/iked/crls/ca.crl%0a# ikectl ca vpn certificate vpn.user.host.ircnow.org create%0a# ikectl ca vpn certificate vpn.user.host.ircnow.org install%0awriting RSA key%0a@]%0a%0aReplace @@vpn.user.host.ircnow.org@@ with the hostname you picked for the value of vpn_id in iked.conf.%0a%0aUsers of the VPN will need to download @@/etc/iked/ca/ca.crt@@ to their device. The easiest way is to use [[openhttpd/configure|openhttpd]] and serve the file over the web.%0a%0a[@%0a# cp /etc/iked/ca/ca.crt /var/www/htdocs/vpn.user.host.ircnow.org/%0a# chown www:daemon /var/www/htdocs/vpn.user.host.ircnow.org/ca.crt%0a@]%0a%0aIf the web server is configured correctly, users can then download the file at @@https://vpn.user.host.ircnow.org/ca.crt@@.%0a%0aWe will use unbound as the caching DNS resolver. Our servers have static IP addresses so we do not use DHCP (if DHCP is used, you must ignore the provided name servers):%0a%0a/etc/resolv.conf:%0a%0a[@%0anameserver 127.0.0.1%0alookup file bind%0a@]%0a%0a/etc/resolv.conf.tail:%0a%0a[@%0alookup file bind%0a@]%0a%0a/var/unbound/etc/unbound.conf:%0a%0a[@%0aoutgoing-interface: 203.0.113.5%0aaccess-control: 10.0.0.0/8 allow%0a...%0a%0alocal-zone: "www.domain.com" static%0a%0a...%0a%0aforward-zone:%0aforward-addr: 185.121.177.177%0aforward-addr: 169.239.202.202%0a%0a...%0a@]%0a%0aThe local-zone lines are only needed if you want to filter/censor domains. You can obtain a list of domains to block using [[https://github.com/StevenBlack/hosts|StevenBlack's hosts]] files. I used the [[https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts|unified hosts + porn + gambling]] filter to block unwanted content.%0a%0a[@%0a$ ftp https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts%0a@]%0a%0aWe need to reformat this hosts file:%0a%0a[@%0a$ awk '!/^ *#/ && NF' hosts > newhosts # taken from stevenblack's list%0a$ sed 's/0\.0\.0\.0 \([^#]*\).*$/local-zone: "\1" static/' newhosts > newhosts2%0a$ sed 's/ "/"/' newhosts2 > newhosts3%0a@]%0a%0aManually check for malformed entries, then put this into /var/unbound/etc/unbound.conf.%0a%0aAdd this to /etc/sysctl.conf:%0a%0a[@%0anet.inet.ip.forwarding=1%0anet.inet6.ip6.forwarding=1%0anet.inet.ipcomp.enable=1%0anet.inet.esp.enable=1%0anet.inet.ah.enable=1%0a@]%0a%0aRun this once:%0a%0a[@%0a$ doas sysctl net.inet.ip.forwarding=1%0a$ doas sysctl net.inet6.ip6.forwarding=1%0a$ doas sysctl net.inet.ipcomp.enable=1%0a$ doas sysctl net.inet.esp.enable=1%0a$ doas sysctl net.inet.ah.enable=1%0a@]%0a%0aIP forwarding allows the server to forward the user's packets to their final destination.%0a%0aTighten file permissions, then start iked:%0a%0a[@%0a$ doas chmod 0600 /etc/iked.conf%0a$ doas rcctl enable iked%0a$ doas rcctl start iked%0a@]%0a%0aNote: You may consider using blacklists from here:%0ahttps://dsi.ut-capitole.fr/blacklists/index_en.php%0ahttps://github.com/4skinSkywalker/anti-porn-hosts-file/blob/master/HOSTS.txt%0ahttps://mirror1.malwaredomains.com/files/justdomains https://blocklist.site/app/dl/piracy https://blocklist.site/app/dl/torrent https://mirror1.malwaredomains.com/files/justdomains https://github.com/mmotti/pihole-regex/blob/master/regex.list https://blocklist.site/app/dl/porn%0a%0aBanned networks:%0a%0airc.p2p-network.net%0airc.gazellegames.net%0airc.nzbs.in%0a%0a!! Troubleshooting%0a%0aRunning iked in debug mode can provide valuable info about errors in configuration.%0a%0aFirst, turn off iked if it is running:%0a%0a[@%0a$ doas rcctl stop iked%0a@]%0a%0aCheck to make sure no iked processes are running:%0a%0a[@%0a$ ps ax | grep iked%0a@]%0a%0aThen, run iked in debug mode:%0a%0a[@%0a$ doas iked -dv%0a@]%0a%0a-d will cause iked to not daemonize, and -v will report errors verbosely.%0a time=1635090581 title=Configuring OpenIKED author:1635090581=tool diff:1635090581:1635090504:=18c18%0a%3c Add this to /etc/iked.conf (replace USERNAME_HERE and PASSWORD_HERE with the username and password you will use to connect, and replace 203.0.113.5 with your server's public IP address and vpn.ircnow.org with vpn.your.domain, i.e.: vpn.user.host.ircnow.org):%0a---%0a> Add this to /etc/iked.conf (replace 203.0.113.5 with your server's public IP address and vpn.ircnow.org with vpn.your.domain, i.e.: vpn.user.host.ircnow.org):%0a host:1635090581=108.56.144.48 author:1635090504=tool diff:1635090504:1635090504:=1,207d0%0a%3c (:title Configuring OpenIKED:)%0a%3c %0a%3c OpenIKED is OpenBSD's native VPN solution. It is included with the base system,%0a%3c so no installation will be necessary. It allows us to use IPSec to provide%0a%3c users with a VPN for security, privacy, and freedom of information.%0a%3c %0a%3c Pros:%0a%3c %0a%3c * Clean%0a%3c * Secure%0a%3c * Interoperable%0a%3c * Simple to Configure%0a%3c %0a%3c This configuration is for a road warrior setup, where a user wants to connect his device to a network (rather than connecting two networks).%0a%3c %0a%3c !! Configure iked.conf%0a%3c %0a%3c Add this to /etc/iked.conf (replace 203.0.113.5 with your server's public IP address and vpn.ircnow.org with vpn.your.domain, i.e.: vpn.user.host.ircnow.org):%0a%3c %0a%3c [@%0a%3c remote_gw = "203.0.113.5"%0a%3c vpn_id = "vpn.ircnow.org"%0a%3c client_pool = "10.0.5.0/24"%0a%3c client_dns = "203.0.113.5"%0a%3c %0a%3c user "USERNAME_HERE" "PASSWORD_HERE"%0a%3c ikev2 'user_vpn' passive esp \%0a%3c from any to dynamic \%0a%3c local $remote_gw peer any \%0a%3c srcid $vpn_id \%0a%3c eap "mschap-v2" \%0a%3c config address $client_pool \%0a%3c config name-server $client_dns \%0a%3c tag "ROADW"%0a%3c @]%0a%3c %0a%3c The value for the vpn_id macro parameter MUST be different from your IRCnow hostname. For example, if your IRCNow hostname is "user.host.ircnow.org", you should pick something like "vpn.user.host.ircnow.org". Whatever you pick should be a valid hostname that resolves to an IP address. The 'from' rule allows any user to connect. The name-server provides the name-server that vpn clients will use. So in this example, you must have a valid caching name server running on IP 203.0.113.5. Note that these packets will get tagged as ROADW.%0a%3c %0a%3c iked depends upon packet filter being enabled. First, you must make sure to enable%0a%3c packet filter if it is off:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -e%0a%3c @]%0a%3c %0a%3c Add this to /etc/pf.conf:%0a%3c %0a%3c [@%0a%3c pass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED%0a%3c pass in inet proto esp tag IKED%0a%3c pass on enc0 inet tagged ROADW%0a%3c match out on $ext_if inet tagged ROADW nat-to $ext_if%0a%3c match in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53%0a%3c @]%0a%3c %0a%3c where ext_if is [[IP/Myaddress|your external interface]].%0a%3c %0a%3c To find your external interface, type:%0a%3c %0a%3c [@%0a%3c $ ifconfig%0a%3c @]%0a%3c %0a%3c The external interface is the one with the public IP address. If OpenBSD is run on a virtual machine, the external interface is probably vio0.%0a%3c %0a%3c To reload the new pf ruleset:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -f /etc/pf.conf %0a%3c @]%0a%3c %0a%3c At this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. From the command line, run:%0a%3c %0a%3c [@%0a%3c # ikectl ca vpn create%0a%3c # ikectl ca vpn install%0a%3c certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt%0a%3c CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl%0a%3c # ikectl ca vpn certificate vpn.user.host.ircnow.org create%0a%3c # ikectl ca vpn certificate vpn.user.host.ircnow.org install%0a%3c writing RSA key%0a%3c @]%0a%3c %0a%3c Replace @@vpn.user.host.ircnow.org@@ with the hostname you picked for the value of vpn_id in iked.conf.%0a%3c %0a%3c Users of the VPN will need to download @@/etc/iked/ca/ca.crt@@ to their device. The easiest way is to use [[openhttpd/configure|openhttpd]] and serve the file over the web.%0a%3c %0a%3c [@%0a%3c # cp /etc/iked/ca/ca.crt /var/www/htdocs/vpn.user.host.ircnow.org/%0a%3c # chown www:daemon /var/www/htdocs/vpn.user.host.ircnow.org/ca.crt%0a%3c @]%0a%3c %0a%3c If the web server is configured correctly, users can then download the file at @@https://vpn.user.host.ircnow.org/ca.crt@@.%0a%3c %0a%3c We will use unbound as the caching DNS resolver. Our servers have static IP addresses so we do not use DHCP (if DHCP is used, you must ignore the provided name servers):%0a%3c %0a%3c /etc/resolv.conf:%0a%3c %0a%3c [@%0a%3c nameserver 127.0.0.1%0a%3c lookup file bind%0a%3c @]%0a%3c %0a%3c /etc/resolv.conf.tail:%0a%3c %0a%3c [@%0a%3c lookup file bind%0a%3c @]%0a%3c %0a%3c /var/unbound/etc/unbound.conf:%0a%3c %0a%3c [@%0a%3c outgoing-interface: 203.0.113.5%0a%3c access-control: 10.0.0.0/8 allow%0a%3c ...%0a%3c %0a%3c local-zone: "www.domain.com" static%0a%3c %0a%3c ...%0a%3c %0a%3c forward-zone:%0a%3c forward-addr: 185.121.177.177%0a%3c forward-addr: 169.239.202.202%0a%3c %0a%3c ...%0a%3c @]%0a%3c %0a%3c The local-zone lines are only needed if you want to filter/censor domains. You can obtain a list of domains to block using [[https://github.com/StevenBlack/hosts|StevenBlack's hosts]] files. I used the [[https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts|unified hosts + porn + gambling]] filter to block unwanted content.%0a%3c %0a%3c [@%0a%3c $ ftp https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts%0a%3c @]%0a%3c %0a%3c We need to reformat this hosts file:%0a%3c %0a%3c [@%0a%3c $ awk '!/^ *#/ && NF' hosts > newhosts # taken from stevenblack's list%0a%3c $ sed 's/0\.0\.0\.0 \([^#]*\).*$/local-zone: "\1" static/' newhosts > newhosts2%0a%3c $ sed 's/ "/"/' newhosts2 > newhosts3%0a%3c @]%0a%3c %0a%3c Manually check for malformed entries, then put this into /var/unbound/etc/unbound.conf.%0a%3c %0a%3c Add this to /etc/sysctl.conf:%0a%3c %0a%3c [@%0a%3c net.inet.ip.forwarding=1%0a%3c net.inet6.ip6.forwarding=1%0a%3c net.inet.ipcomp.enable=1%0a%3c net.inet.esp.enable=1%0a%3c net.inet.ah.enable=1%0a%3c @]%0a%3c %0a%3c Run this once:%0a%3c %0a%3c [@%0a%3c $ doas sysctl net.inet.ip.forwarding=1%0a%3c $ doas sysctl net.inet6.ip6.forwarding=1%0a%3c $ doas sysctl net.inet.ipcomp.enable=1%0a%3c $ doas sysctl net.inet.esp.enable=1%0a%3c $ doas sysctl net.inet.ah.enable=1%0a%3c @]%0a%3c %0a%3c IP forwarding allows the server to forward the user's packets to their final destination.%0a%3c %0a%3c Tighten file permissions, then start iked:%0a%3c %0a%3c [@%0a%3c $ doas chmod 0600 /etc/iked.conf%0a%3c $ doas rcctl enable iked%0a%3c $ doas rcctl start iked%0a%3c @]%0a%3c %0a%3c Note: You may consider using blacklists from here:%0a%3c https://dsi.ut-capitole.fr/blacklists/index_en.php%0a%3c https://github.com/4skinSkywalker/anti-porn-hosts-file/blob/master/HOSTS.txt%0a%3c https://mirror1.malwaredomains.com/files/justdomains https://blocklist.site/app/dl/piracy https://blocklist.site/app/dl/torrent https://mirror1.malwaredomains.com/files/justdomains https://github.com/mmotti/pihole-regex/blob/master/regex.list https://blocklist.site/app/dl/porn%0a%3c %0a%3c Banned networks:%0a%3c %0a%3c irc.p2p-network.net%0a%3c irc.gazellegames.net%0a%3c irc.nzbs.in%0a%3c %0a%3c !! Troubleshooting%0a%3c %0a%3c Running iked in debug mode can provide valuable info about errors in configuration.%0a%3c %0a%3c First, turn off iked if it is running:%0a%3c %0a%3c [@%0a%3c $ doas rcctl stop iked%0a%3c @]%0a%3c %0a%3c Check to make sure no iked processes are running:%0a%3c %0a%3c [@%0a%3c $ ps ax | grep iked%0a%3c @]%0a%3c %0a%3c Then, run iked in debug mode:%0a%3c %0a%3c [@%0a%3c $ doas iked -dv%0a%3c @]%0a%3c %0a%3c -d will cause iked to not daemonize, and -v will report errors verbosely.%0a host:1635090504=108.56.144.48