version=pmwiki-2.2.130 ordered=1 urlencoded=1 agent=w3m/0.5.3+git20210102 author=jrmu charset=UTF-8 csum= ctime=1615256737 host=38.87.162.154 name=Iked.Configure rev=29 targets=Unbound.Configure,Pf.Guide,IP.Myaddress,Vmm.Install,Openhttpd.Configure,Unbound.Blacklists text=(:title Configuring OpenIKED:)%0a%0aOpenIKED is OpenBSD's native VPN solution. It is included with the base system,%0aso no installation will be necessary. It allows us to use IPSec to provide%0ausers with a VPN for security, privacy, and freedom of information.%0a%0aPros:%0a%0a* Clean%0a* Secure%0a* Interoperable%0a* Simple to Configure%0a%0aThis configuration is for a road warrior setup, where a user wants to connect his device to a network (rather than connecting two networks).%0a%0a!! Before You Begin%0a%0aMake sure to read the [[https://www.openbsd.org/faq/faq17.html|FAQ's VPN guide]] and the manual pages for [[https://man.openbsd.org/iked|iked]] and [[https://man.openbsd.org/iked.conf|iked.conf]].%0a%0a!! Configure iked.conf%0a%0aAdd this to /etc/iked.conf (replace @@username@@ and @@password@@ with your actual username and password; replace @@172.16.0.1@@ with your server's public IP address; and replace @@example.com@@ with your actual hostname):%0a%0a[@%0agateway = "172.16.0.1"%0ahostname = "example.com"%0apool = "10.0.5.0/24"%0adns = "172.16.0.1"%0a%0auser 'username' 'password'%0aikev2 $hostname passive esp \%0a from any to dynamic \%0a local $gateway peer any \%0a srcid $hostname \%0a eap "mschap-v2" \%0a config address $pool \%0a config name-server $dns \%0a tag "ROADW"%0a@]%0a%0aYou must replace @@example.com@@ with be a valid hostname that resolves to an IP address. Leave pool as @@10.0.5.0/24@@.%0a%0a@@from any to dynamic@@ allows any user to connect. $dns must provide the IP address for the name server that vpn clients will use. This example assumes you have a valid [[unbound/configure|caching name server]] configured and listening on IP 172.16.0.1.%0a%0aThese packets will get tagged as ROADW.%0a%0aiked depends upon packet filter being enabled. First, enable [[pf/guide|packet filter]] if it%0ais turned off:%0a%0a[@%0a$ doas pfctl -e%0a@]%0a%0aNext, add this to /etc/pf.conf:%0a%0a[@%0apass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED%0apass in inet proto esp tag IKED%0apass on enc0 inet tagged ROADW%0amatch out on $ext_if inet tagged ROADW nat-to $ext_if%0amatch in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53%0a@]%0a%0awhere $ext_if is [[IP/Myaddress|your external interface]].%0a%0aTo find your external interface, type:%0a%0a[@%0a$ ifconfig%0a@]%0a%0aThe external interface is the one with the public IP address. If OpenBSD is run inside [[vmm/install|vmm]], the external interface is probably vio0.%0a%0aTo reload the new pf ruleset:%0a%0a[@%0a$ doas pfctl -f /etc/pf.conf %0a@]%0a%0aAt this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. From the command line, run this as root:%0a%0a[@%0a# ikectl ca vpn create%0a# ikectl ca vpn install%0acertificate for CA 'vpn' installed into /etc/iked/ca/ca.crt%0aCRL for CA 'vpn' installed to /etc/iked/crls/ca.crl%0a# ikectl ca vpn certificate example.com create%0a# ikectl ca vpn certificate example.com install%0awriting RSA key%0a@]%0a%0aReplace @@example.com@@ with your actual domain.%0a%0aUsers of the VPN will need to download @@/etc/iked/ca/ca.crt@@ to their device. The easiest way is to use [[openhttpd/configure|openhttpd]] and serve the file over the web.%0a%0a[@%0a# cp /etc/iked/ca/ca.crt /var/www/htdocs/example.com/%0a# chown www:daemon /var/www/htdocs/example.com/ca.crt%0a@]%0a%0aIf the web server is configured correctly, users can then download the file at @@https://example.com/ca.crt@@.%0a%0a!! Configuring DNS%0a%0aThis example uses [[unbound/configure|unbound]] as the caching DNS resolver. It assumes your server has its IP addresses statically assigned and is not using DHCP to locate its name servers.%0a%0aReplace [[https://man.openbsd.org/resolv.conf|/etc/resolv.conf]] with the following:%0a%0a[@%0anameserver 127.0.0.1%0alookup file bind%0a@]%0a%0aEdit the following values in [[https://man.openbsd.org/unbound.conf|/var/unbound/etc/unbound.conf]]:%0a%0a[@%0aoutgoing-interface: 172.16.0.1%0aaccess-control: 10.0.0.0/8 allow%0a@]%0a%0aWe recommend configuring [[unbound/blacklists|domain blacklists]] for unbound to block unwanted traffic.%0a%0aEdit [[https://man.openbsd.org/sysctl.conf|/etc/sysctl.conf]] to include these directives:%0a%0a[@%0anet.inet.ip.forwarding=1%0anet.inet6.ip6.forwarding=1%0anet.inet.ipcomp.enable=1%0anet.inet.esp.enable=1%0anet.inet.ah.enable=1%0a@]%0a%0aNext, run these commands as root:%0a%0a[@%0asysctl net.inet.ip.forwarding=1%0asysctl net.inet6.ip6.forwarding=1%0asysctl net.inet.ipcomp.enable=1%0asysctl net.inet.esp.enable=1%0asysctl net.inet.ah.enable=1%0a@]%0a%0aIP forwarding allows the server to forward the user's packets to their final destination.%0a%0aTighten file permissions, then start iked:%0a%0a[@%0a$ doas chmod 0600 /etc/iked.conf%0a$ doas rcctl enable iked%0a$ doas rcctl start iked%0a@]%0a%0a!! Troubleshooting%0a%0aRunning iked in debug mode can provide valuable info about errors in configuration.%0a%0aFirst, turn off iked if it is running:%0a%0a[@%0a$ doas rcctl stop iked%0a@]%0a%0aCheck to make sure no iked processes are running:%0a%0a[@%0a$ ps ax | grep iked%0a@]%0a%0aThen, run iked in debug mode:%0a%0a[@%0a$ doas iked -dv%0a@]%0a%0a-d will cause iked to not daemonize, and -v will report errors verbosely.%0a time=1656167319 title=Configuring OpenIKED author:1656167319=jrmu diff:1656167319:1656136744:=47c47%0a%3c iked depends upon packet filter being enabled. First, enable [[pf/guide|packet filter]] if it%0a---%0a> iked depends upon packet filter being enabled. First, enable packet filter if it%0a64,65c64,65%0a%3c where $ext_if is [[IP/Myaddress|your external interface]].%0a%3c %0a---%0a> where ext_if is [[IP/Myaddress|your external interface]].%0a> %0a133c133%0a%3c Next, run these commands as root:%0a---%0a> Run these commands as root:%0a host:1656167319=38.87.162.154 author:1656136744=jrmu diff:1656136744:1656136155:=103,108c103,106%0a%3c !! Configuring DNS%0a%3c %0a%3c This example uses [[unbound/configure|unbound]] as the caching DNS resolver. It assumes your server has its IP addresses statically assigned and is not using DHCP to locate its name servers.%0a%3c %0a%3c Replace [[https://man.openbsd.org/resolv.conf|/etc/resolv.conf]] with the following:%0a%3c %0a---%0a> This example uses [[unbound/configure|unbound]] as the caching DNS resolver. It assumes your server has its IP addresses statically assigned and is not using DHCP to locate its name servers:%0a> %0a> /etc/resolv.conf:%0a> %0a114,115c112,113%0a%3c Edit the following values in [[https://man.openbsd.org/unbound.conf|/var/unbound/etc/unbound.conf]]:%0a%3c %0a---%0a> /etc/resolv.conf.tail:%0a> %0a117,118c115%0a%3c outgoing-interface: 172.16.0.1%0a%3c access-control: 10.0.0.0/8 allow%0a---%0a> lookup file bind%0a121,124c118,119%0a%3c We recommend configuring [[unbound/blacklists|domain blacklists]] for unbound to block unwanted traffic.%0a%3c %0a%3c Edit [[https://man.openbsd.org/sysctl.conf|/etc/sysctl.conf]] to include these directives:%0a%3c %0a---%0a> /var/unbound/etc/unbound.conf:%0a> %0a126,130c121,133%0a%3c net.inet.ip.forwarding=1%0a%3c net.inet6.ip6.forwarding=1%0a%3c net.inet.ipcomp.enable=1%0a%3c net.inet.esp.enable=1%0a%3c net.inet.ah.enable=1%0a---%0a> outgoing-interface: 172.16.0.1%0a> access-control: 10.0.0.0/8 allow%0a> ...%0a> %0a> local-zone: "www.domain.com" static%0a> %0a> ...%0a> %0a> forward-zone:%0a> forward-addr: 185.121.177.177%0a> forward-addr: 169.239.202.202%0a> %0a> ...%0a133,134c136,137%0a%3c Run these commands as root:%0a%3c %0a---%0a> The local-zone lines are only needed if you want to filter/censor domains. You can obtain a list of domains to block using [[https://github.com/StevenBlack/hosts|StevenBlack's hosts]] files. I used the [[https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts|unified hosts + porn + gambling]] filter to block unwanted content.%0a> %0a136,140c139%0a%3c sysctl net.inet.ip.forwarding=1%0a%3c sysctl net.inet6.ip6.forwarding=1%0a%3c sysctl net.inet.ipcomp.enable=1%0a%3c sysctl net.inet.esp.enable=1%0a%3c sysctl net.inet.ah.enable=1%0a---%0a> $ ftp https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts%0a143,146c142,143%0a%3c IP forwarding allows the server to forward the user's packets to their final destination.%0a%3c %0a%3c Tighten file permissions, then start iked:%0a%3c %0a---%0a> We need to reformat this hosts file:%0a> %0a148,150c145,147%0a%3c $ doas chmod 0600 /etc/iked.conf%0a%3c $ doas rcctl enable iked%0a%3c $ doas rcctl start iked%0a---%0a> $ awk '!/^ *#/ && NF' hosts > newhosts # taken from stevenblack's list%0a> $ sed 's/0\.0\.0\.0 \([^#]*\).*$/local-zone: "\1" static/' newhosts > newhosts2%0a> $ sed 's/ "/"/' newhosts2 > newhosts3%0a151a149,191%0a> %0a> Manually check for malformed entries, then put this into /var/unbound/etc/unbound.conf.%0a> %0a> Add this to /etc/sysctl.conf:%0a> %0a> [@%0a> net.inet.ip.forwarding=1%0a> net.inet6.ip6.forwarding=1%0a> net.inet.ipcomp.enable=1%0a> net.inet.esp.enable=1%0a> net.inet.ah.enable=1%0a> @]%0a> %0a> Run this once:%0a> %0a> [@%0a> $ doas sysctl net.inet.ip.forwarding=1%0a> $ doas sysctl net.inet6.ip6.forwarding=1%0a> $ doas sysctl net.inet.ipcomp.enable=1%0a> $ doas sysctl net.inet.esp.enable=1%0a> $ doas sysctl net.inet.ah.enable=1%0a> @]%0a> %0a> IP forwarding allows the server to forward the user's packets to their final destination.%0a> %0a> Tighten file permissions, then start iked:%0a> %0a> [@%0a> $ doas chmod 0600 /etc/iked.conf%0a> $ doas rcctl enable iked%0a> $ doas rcctl start iked%0a> @]%0a> %0a> Note: You may consider using blacklists from here:%0a> https://dsi.ut-capitole.fr/blacklists/index_en.php%0a> https://github.com/4skinSkywalker/anti-porn-hosts-file/blob/master/HOSTS.txt%0a> https://mirror1.malwaredomains.com/files/justdomains https://blocklist.site/app/dl/piracy https://blocklist.site/app/dl/torrent https://mirror1.malwaredomains.com/files/justdomains https://github.com/mmotti/pihole-regex/blob/master/regex.list https://blocklist.site/app/dl/porn%0a> %0a> Banned networks:%0a> %0a> irc.p2p-network.net%0a> irc.gazellegames.net%0a> irc.nzbs.in%0a host:1656136744=38.87.162.154 author:1656136155=jrmu diff:1656136155:1655966039:=22,23c22,23%0a%3c Add this to /etc/iked.conf (replace @@username@@ and @@password@@ with your actual username and password; replace @@172.16.0.1@@ with your server's public IP address; and replace @@example.com@@ with your actual hostname):%0a%3c %0a---%0a> Add this to /etc/iked.conf (replace @@username@@ with your actual username; replace @@172.16.0.1@@ with your server's public IP address; and replace @@example.com@@ with your actual hostname):%0a> %0a41c41%0a%3c You must replace @@example.com@@ with be a valid hostname that resolves to an IP address. Leave pool as @@10.0.5.0/24@@.%0a---%0a> You must replace @@example.com@@ with be a valid hostname that resolves to an IP address.%0a host:1656136155=38.87.162.154 author:1655966039=jrmu diff:1655966039:1655965216:=26c26%0a%3c hostname = "example.com"%0a---%0a> name = "example.com"%0a31c31%0a%3c ikev2 $hostname passive esp \%0a---%0a> ikev2 $name passive esp \%0a34c34%0a%3c srcid $hostname \%0a---%0a> srcid $name \%0a host:1655966039=38.87.162.154 author:1655965216=jrmu diff:1655965216:1655964502:=22,23c22,23%0a%3c Add this to /etc/iked.conf (replace @@username@@ with your actual username; replace @@172.16.0.1@@ with your server's public IP address; and replace @@example.com@@ with your actual hostname):%0a%3c %0a---%0a> Add this to /etc/iked.conf (replace username and 172.16.0.1 with your server's public IP address and example.com with your domain):%0a> %0a41c41%0a%3c You must replace @@example.com@@ with be a valid hostname that resolves to an IP address.%0a---%0a> @@$name@@ must be a valid hostname that resolves to an IP address.%0a host:1655965216=38.87.162.154 author:1655964502=jrmu diff:1655964502:1655795234:=16,19d15%0a%3c !! Before You Begin%0a%3c %0a%3c Make sure to read the [[https://www.openbsd.org/faq/faq17.html|FAQ's VPN guide]] and the manual pages for [[https://man.openbsd.org/iked|iked]] and [[https://man.openbsd.org/iked.conf|iked.conf]].%0a%3c %0a41c37%0a%3c @@$name@@ must be a valid hostname that resolves to an IP address.%0a---%0a> $name must be a valid hostname that resolves to an IP address.%0a host:1655964502=38.87.162.154 author:1655795234=jrmu diff:1655795234:1655795052:=76c76%0a%3c At this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. From the command line, run this as root:%0a---%0a> At this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. From the command line, run:%0a host:1655795234=38.87.162.154 author:1655795052=jrmu diff:1655795052:1655793929:=42a43,48%0a> iked depends upon packet filter being enabled. First, you must make sure to enable%0a> packet filter if it is off:%0a> %0a> %0a> The 'from' rule allows any user to connect. The name-server provides the name-server that vpn clients will use. So in this example, you must have a valid caching name server running on IP 203.0.113.5. Note that these packets will get tagged as ROADW.%0a> %0a99c105%0a%3c This example uses [[unbound/configure|unbound]] as the caching DNS resolver. It assumes your server has its IP addresses statically assigned and is not using DHCP to locate its name servers:%0a---%0a> We will use unbound as the caching DNS resolver. This configuration assumes your server has its IP addresses statically assigned and is not using DHCP to locate its name servers:%0a host:1655795052=38.87.162.154 author:1655793929=tool and jrmu csum:1655793929=Updated config according to suggestions by tool, some other edits by jrmu diff:1655793929:1654700962:=18,19c18,19%0a%3c Add this to /etc/iked.conf (replace username and 172.16.0.1 with your server's public IP address and example.com with your domain):%0a%3c %0a---%0a> Add this to /etc/iked.conf (replace 203.0.113.5 with your server's public IP address and vpn.ircnow.org with your domain):%0a> %0a21,25d20%0a%3c gateway = "172.16.0.1"%0a%3c name = "example.com"%0a%3c pool = "10.0.5.0/24"%0a%3c dns = "172.16.0.1"%0a%3c %0a27,30c22,25%0a%3c ikev2 $name passive esp \%0a%3c from any to dynamic \%0a%3c local $gateway peer any \%0a%3c srcid $name \%0a---%0a> ikev2 'vpn.ircnow.org' passive esp \%0a> from 0.0.0.0/0 to 0.0.0.0/0 \%0a> local 203.0.113.5 peer any \%0a> srcid vpn.ircnow.org \%0a32,33c27,28%0a%3c config address $pool \%0a%3c config name-server $dns \%0a---%0a> config address 10.0.5.0/24 \%0a> config name-server 203.0.113.5 \%0a37,42c32,33%0a%3c $name must be a valid hostname that resolves to an IP address.%0a%3c %0a%3c @@from any to dynamic@@ allows any user to connect. $dns must provide the IP address for the name server that vpn clients will use. This example assumes you have a valid [[unbound/configure|caching name server]] configured and listening on IP 172.16.0.1.%0a%3c %0a%3c These packets will get tagged as ROADW.%0a%3c %0a---%0a> The 'from' rule allows any user to connect. The name-server provides the name-server that vpn clients will use. So in this example, you must have a valid caching name server running on IP 203.0.113.5. Note that these packets will get tagged as ROADW.%0a> %0a46,51d36%0a%3c %0a%3c The 'from' rule allows any user to connect. The name-server provides the name-server that vpn clients will use. So in this example, you must have a valid caching name server running on IP 203.0.113.5. Note that these packets will get tagged as ROADW.%0a%3c %0a%3c iked depends upon packet filter being enabled. First, enable packet filter if it%0a%3c is turned off:%0a%3c %0a56,57c41,42%0a%3c Next, add this to /etc/pf.conf:%0a%3c %0a---%0a> Add this to /etc/pf.conf:%0a> %0a74,75c59,60%0a%3c The external interface is the one with the public IP address. If OpenBSD is run inside [[vmm/install|vmm]], the external interface is probably vio0.%0a%3c %0a---%0a> The external interface is the one with the public IP address. If OpenBSD is run on a virtual machine, the external interface is probably vio0.%0a> %0a105,106c90,91%0a%3c We will use unbound as the caching DNS resolver. This configuration assumes your server has its IP addresses statically assigned and is not using DHCP to locate its name servers:%0a%3c %0a---%0a> We will use unbound as the caching DNS resolver. Our servers have static IP addresses so we do not use DHCP (if DHCP is used, you must ignore the provided name servers):%0a> %0a123c108%0a%3c outgoing-interface: 172.16.0.1%0a---%0a> outgoing-interface: 203.0.113.5%0a host:1655793929=38.87.162.154 author:1654700962=miniontoby csum:1654700962=Removed problem since I was dumb diff:1654700962:1654676495:=202a203,222%0a> %0a> %0a> !! Known Problem%0a> %0a> Some users have the problem they cannot get connected%0a> %0a> Firstly run the iked with rcctl (since then we can see all the logs in 1 file)%0a> %0a> Then try to connect to your VPN and then go to your vps and execute [@doas tail /var/log/daemon@]%0a> %0a> What I see is this:%0a> [@%0a> miniontoby iked[24021]: spi=0x1c3b15ac0bd24ffc: recv IKE_SA_INIT req 0 peer 185.61.52.200:279 local 38.87.162.2:500, 1104 bytes, policy 'user_vpn'%0a> miniontoby iked[24021]: spi=0x1c3b15ac0bd24ffc: send IKE_SA_INIT res 0 peer 185.61.52.200:279 local 38.87.162.2:500, 321 bytes%0a> miniontoby relayd[46360]: relay wwwtls, session 108 (1 active), 0, 185.61.52.200 -> :0, Undefined error: 0%0a> @]%0a> %0a> This shows that it does get connected, but it still doesn't work, and as far as I can tell, it might be a problem with relayd...%0a> %0a> '''We don't have the answer of the problem yet, so please come back later!'''%0a host:1654700962=45.136.74.157 author:1654676495=miniontoby csum:1654676495=Added the diff:1654676495:1628357021:=203,222d202%0a%3c %0a%3c %0a%3c !! Known Problem%0a%3c %0a%3c Some users have the problem they cannot get connected%0a%3c %0a%3c Firstly run the iked with rcctl (since then we can see all the logs in 1 file)%0a%3c %0a%3c Then try to connect to your VPN and then go to your vps and execute [@doas tail /var/log/daemon@]%0a%3c %0a%3c What I see is this:%0a%3c [@%0a%3c miniontoby iked[24021]: spi=0x1c3b15ac0bd24ffc: recv IKE_SA_INIT req 0 peer 185.61.52.200:279 local 38.87.162.2:500, 1104 bytes, policy 'user_vpn'%0a%3c miniontoby iked[24021]: spi=0x1c3b15ac0bd24ffc: send IKE_SA_INIT res 0 peer 185.61.52.200:279 local 38.87.162.2:500, 321 bytes%0a%3c miniontoby relayd[46360]: relay wwwtls, session 108 (1 active), 0, 185.61.52.200 -> :0, Undefined error: 0%0a%3c @]%0a%3c %0a%3c This shows that it does get connected, but it still doesn't work, and as far as I can tell, it might be a problem with relayd...%0a%3c %0a%3c '''We don't have the answer of the problem yet, so please come back later!'''%0a host:1654676495=185.61.52.200 author:1628357021=jrmu diff:1628357021:1628354928:=51c51%0a%3c where ext_if is [[IP/Myaddress|your external interface]].%0a---%0a> where ext_if is your external interface. ([[IP/Myaddress|Read how to find your external interface]])%0a host:1628357021=125.231.70.149 author:1628354928=jrmu diff:1628354928:1620873984:=1,8c1,7%0a%3c (:title Configuring OpenIKED:)%0a%3c %0a%3c OpenIKED is OpenBSD's native VPN solution. It is included with the base system,%0a%3c so no installation will be necessary. It allows us to use IPSec to provide%0a%3c users with a VPN for security, privacy, and freedom of information.%0a%3c %0a%3c Pros:%0a%3c %0a---%0a> [+IKED+]%0a> %0a> OpenIKED is a free implementation of IKEv2 protocol which enable us to create VPNs in openBSD. OpenIKED is developed as part of the OpenBSD Project in that way comes with the OS, there is no need to install it.%0a> %0a> OpenIKED focuses mainly:%0a> %0a> * Lean%0a12,19c11,67%0a%3c * Simple to Configure%0a%3c %0a%3c This configuration is for a road warrior setup, where a user wants to connect his device to a network (rather than connecting two networks).%0a%3c %0a%3c !! Configure iked.conf%0a%3c %0a%3c Add this to /etc/iked.conf (replace 203.0.113.5 with your server's public IP address and vpn.ircnow.org with your domain):%0a%3c %0a---%0a> * Configurable%0a> %0a> Now, we'll set up the VPN, both on the server-side and on the client-side%0a> %0a> [+SETTING UP IKED - (SERVER-SIDE)+]%0a> %0a> First we need to add some rules to our pf filters in order to allow IKED, isakmp, ipsec packages pass.%0a> Add this to /etc/pf.conf and make sure that $ext_if match your output interface. If you dont know what is your $ext_if, just issue the following command in your terminal @@$coconut ifconfig@@ and you'll see the interfaces, your $ext_if is the one who has an public IP address, for example it could be vio0.[[%3c%3c]][[%3c%3c]]%0a> add the following lines to the file%0a> @@/etc/pf.conf@@ %0a> %0a> @@pass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED[[%3c%3c]]@@%0a> @@pass in inet proto esp tag IKED[[%3c%3c]]@@%0a> @@pass on enc0 inet tagged ROADW[[%3c%3c]]@@%0a> @@match out on $ext_if inet tagged ROADW nat-to $ext_if[[%3c%3c]]@@%0a> @@match in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53[[%3c%3c]]@@%0a> %0a> Then in order to update the ruleset or apply the changes, we need to reload pf, we could do that with the following line:%0a> %0a> @@$ doas pfctl -f /etc/pf.conf [[%3c%3c]]@@%0a> %0a> At this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. In the part %3cserver1.domain>, replace it with your own domain. From the command line just run:%0a> %0a> %0a> @@$doas ikectl ca vpn create[[%3c%3c]]@@%0a> @@$doas ikectl ca vpn install[[%3c%3c]]@@%0a> @@certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt[[%3c%3c]]@@%0a> @@CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl[[%3c%3c]]@@%0a> @@$doas ikectl ca vpn certificate server1.domain create[[%3c%3c]]@@%0a> @@$doas ikectl ca vpn certificate server1.domain install[[%3c%3c]]@@%0a> @@writing RSA key[[%3c%3c]]@@%0a> %0a> the file we need to export to the clients will be @@/etc/iked/ca/ca.crt@@ we can do that, using scp to copy the file from our server to our local computer or some other application in your phone, there is no need to install scp,scp use the same credentials that ssh use, you can run the following command[[%3c%3c]]%0a> %0a> @@$scp %3cuser>@%3cuser>.coconut.ircnow.org:/etc/iked/ca/ca.crt .@@%0a> %0a> %0a> Make sure to enable IP forwarding. you must be asking Why?, let me explain it, if you dont enable this kernel feature, your server will not act as a router,in other words, it cannot forward packages to their destination, your packages will be able to reach the server, but then they will be stuck there, without possibility to get out from there[[%3c%3c]]%0a> %0a> @@$echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf[[%3c%3c]]@@%0a> @@$echo 'net.inet6.ip6.forwarding=1' >> /etc/sysctl.conf[[%3c%3c]]@@%0a> @@$echo 'net.inet.ipcomp.enable=1' >> /etc/sysctl.conf [[%3c%3c]]@@ %0a> @@$echo 'net.inet.esp.enable=1' >> /etc/sysctl.conf[[%3c%3c]]@@%0a> @@$echo 'net.inet.ah.enable=1' >> /etc/sysctl.conf[[%3c%3c]]@@%0a> @@$sysctl net.inet.ip.forwarding=1[[%3c%3c]]@@%0a> @@$sysctl net.inet6.ip6.forwarding=1[[%3c%3c]]@@%0a> %0a> [[%3c%3c]]%0a> We will use unbound as the caching DNS resolver. Our servers have static IP addresses so we do not use DHCP (if DHCP is used, you must ignore the provided name servers):[[%3c%3c]]%0a> @@/etc/resolv.conf:@@%0a> %0a> nameserver 127.0.0.1%0a> lookup file bind%0a> /etc/resolv.conf.tail:%0a> %0a> lookup file bind%0a> @@/var/unbound/etc/unbound.conf:@@%0a21,29c69,81%0a%3c user 'username' 'password'%0a%3c ikev2 'vpn.ircnow.org' passive esp \%0a%3c from 0.0.0.0/0 to 0.0.0.0/0 \%0a%3c local 203.0.113.5 peer any \%0a%3c srcid vpn.ircnow.org \%0a%3c eap "mschap-v2" \%0a%3c config address 10.0.5.0/24 \%0a%3c config name-server 203.0.113.5 \%0a%3c tag "ROADW"%0a---%0a> outgoing-interface: 203.0.113.5%0a> access-control: 10.0.0.0/8 allow%0a> ...%0a> %0a> local-zone: "www.domain.com" static%0a> %0a> ...%0a> %0a> forward-zone:%0a> forward-addr: 185.121.177.177%0a> forward-addr: 169.239.202.202%0a> %0a> ...%0a32,36c84,88%0a%3c The 'from' rule allows any user to connect. The name-server provides the name-server that vpn clients will use. So in this example, you must have a valid caching name server running on IP 203.0.113.5. Note that these packets will get tagged as ROADW.%0a%3c %0a%3c iked depends upon packet filter being enabled. First, you must make sure to enable%0a%3c packet filter if it is off:%0a%3c %0a---%0a> The local-zone lines are only needed if you want to filter/censor domains. You can obtain a list of domains to block using StevenBlack's hosts files. I used the unified hosts + porn + gambling filter to block unwanted content.[[>>]]%0a> %0a> @@$ curl -L -O https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts@@[[%3c%3c]]%0a> %0a> We need to reformat this hosts file:[[%3c%3c]]%0a38,131d89%0a%3c $ doas pfctl -e%0a%3c @]%0a%3c %0a%3c Add this to /etc/pf.conf:%0a%3c %0a%3c [@%0a%3c pass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED%0a%3c pass in inet proto esp tag IKED%0a%3c pass on enc0 inet tagged ROADW%0a%3c match out on $ext_if inet tagged ROADW nat-to $ext_if%0a%3c match in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53%0a%3c @]%0a%3c %0a%3c where ext_if is your external interface. ([[IP/Myaddress|Read how to find your external interface]])%0a%3c %0a%3c To find your external interface, type:%0a%3c %0a%3c [@%0a%3c $ ifconfig%0a%3c @]%0a%3c %0a%3c The external interface is the one with the public IP address. If OpenBSD is run on a virtual machine, the external interface is probably vio0.%0a%3c %0a%3c To reload the new pf ruleset:%0a%3c %0a%3c [@%0a%3c $ doas pfctl -f /etc/pf.conf %0a%3c @]%0a%3c %0a%3c At this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. From the command line, run:%0a%3c %0a%3c [@%0a%3c # ikectl ca vpn create%0a%3c # ikectl ca vpn install%0a%3c certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt%0a%3c CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl%0a%3c # ikectl ca vpn certificate example.com create%0a%3c # ikectl ca vpn certificate example.com install%0a%3c writing RSA key%0a%3c @]%0a%3c %0a%3c Replace @@example.com@@ with your actual domain.%0a%3c %0a%3c Users of the VPN will need to download @@/etc/iked/ca/ca.crt@@ to their device. The easiest way is to use [[openhttpd/configure|openhttpd]] and serve the file over the web.%0a%3c %0a%3c [@%0a%3c # cp /etc/iked/ca/ca.crt /var/www/htdocs/example.com/%0a%3c # chown www:daemon /var/www/htdocs/example.com/ca.crt%0a%3c @]%0a%3c %0a%3c If the web server is configured correctly, users can then download the file at @@https://example.com/ca.crt@@.%0a%3c %0a%3c We will use unbound as the caching DNS resolver. Our servers have static IP addresses so we do not use DHCP (if DHCP is used, you must ignore the provided name servers):%0a%3c %0a%3c /etc/resolv.conf:%0a%3c %0a%3c [@%0a%3c nameserver 127.0.0.1%0a%3c lookup file bind%0a%3c @]%0a%3c %0a%3c /etc/resolv.conf.tail:%0a%3c %0a%3c [@%0a%3c lookup file bind%0a%3c @]%0a%3c %0a%3c /var/unbound/etc/unbound.conf:%0a%3c %0a%3c [@%0a%3c outgoing-interface: 203.0.113.5%0a%3c access-control: 10.0.0.0/8 allow%0a%3c ...%0a%3c %0a%3c local-zone: "www.domain.com" static%0a%3c %0a%3c ...%0a%3c %0a%3c forward-zone:%0a%3c forward-addr: 185.121.177.177%0a%3c forward-addr: 169.239.202.202%0a%3c %0a%3c ...%0a%3c @]%0a%3c %0a%3c The local-zone lines are only needed if you want to filter/censor domains. You can obtain a list of domains to block using [[https://github.com/StevenBlack/hosts|StevenBlack's hosts]] files. I used the [[https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts|unified hosts + porn + gambling]] filter to block unwanted content.%0a%3c %0a%3c [@%0a%3c $ ftp https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts%0a%3c @]%0a%3c %0a%3c We need to reformat this hosts file:%0a%3c %0a%3c [@%0a135,202c93,123%0a%3c @]%0a%3c %0a%3c Manually check for malformed entries, then put this into /var/unbound/etc/unbound.conf.%0a%3c %0a%3c Add this to /etc/sysctl.conf:%0a%3c %0a%3c [@%0a%3c net.inet.ip.forwarding=1%0a%3c net.inet6.ip6.forwarding=1%0a%3c net.inet.ipcomp.enable=1%0a%3c net.inet.esp.enable=1%0a%3c net.inet.ah.enable=1%0a%3c @]%0a%3c %0a%3c Run this once:%0a%3c %0a%3c [@%0a%3c $ doas sysctl net.inet.ip.forwarding=1%0a%3c $ doas sysctl net.inet6.ip6.forwarding=1%0a%3c $ doas sysctl net.inet.ipcomp.enable=1%0a%3c $ doas sysctl net.inet.esp.enable=1%0a%3c $ doas sysctl net.inet.ah.enable=1%0a%3c @]%0a%3c %0a%3c IP forwarding allows the server to forward the user's packets to their final destination.%0a%3c %0a%3c Tighten file permissions, then start iked:%0a%3c %0a%3c [@%0a%3c $ doas chmod 0600 /etc/iked.conf%0a%3c $ doas rcctl enable iked%0a%3c $ doas rcctl start iked%0a%3c @]%0a%3c %0a%3c Note: You may consider using blacklists from here:%0a%3c https://dsi.ut-capitole.fr/blacklists/index_en.php%0a%3c https://github.com/4skinSkywalker/anti-porn-hosts-file/blob/master/HOSTS.txt%0a%3c https://mirror1.malwaredomains.com/files/justdomains https://blocklist.site/app/dl/piracy https://blocklist.site/app/dl/torrent https://mirror1.malwaredomains.com/files/justdomains https://github.com/mmotti/pihole-regex/blob/master/regex.list https://blocklist.site/app/dl/porn%0a%3c %0a%3c Banned networks:%0a%3c %0a%3c irc.p2p-network.net%0a%3c irc.gazellegames.net%0a%3c irc.nzbs.in%0a%3c %0a%3c !! Troubleshooting%0a%3c %0a%3c Running iked in debug mode can provide valuable info about errors in configuration.%0a%3c %0a%3c First, turn off iked if it is running:%0a%3c %0a%3c [@%0a%3c $ doas rcctl stop iked%0a%3c @]%0a%3c %0a%3c Check to make sure no iked processes are running:%0a%3c %0a%3c [@%0a%3c $ ps ax | grep iked%0a%3c @]%0a%3c %0a%3c Then, run iked in debug mode:%0a%3c %0a%3c [@%0a%3c $ doas iked -dv%0a%3c @]%0a%3c %0a%3c -d will cause iked to not daemonize, and -v will report errors verbosely.%0a---%0a> @][[%3c%3c]]%0a> Manually check for malformed entries, then put this into /var/unbound/etc/unbound.conf.[[%3c%3c]]%0a> %0a> %0a> %0a> %0a> Till now we have configured the pf ruleset, the forwarding features, the DNS resolver and we have the certificates, now we need to configure the IKED itself.%0a> Add this to @@/etc/iked.conf@@ (replace 203.0.113.5 with your server's public IP address and vpn.ircnow.org, with your domain):[[%3c%3c]]%0a> %0a> %0a> @@user 'username' 'password'[[%3c%3c]]@@%0a> @@ ikev2 'vpn.ircnow.org' passive esp \[[%3c%3c]]@@%0a> @@ from 0.0.0.0/0 to 0.0.0.0/0 \[[%3c%3c]]@@%0a> @@ local 203.0.113.5 peer any \[[%3c%3c]]@@%0a> @@ srcid vpn.ircnow.org \[[%3c%3c]]@@%0a> @@ eap "mschap-v2" \[[%3c%3c]]@@%0a> @@ config address 10.0.5.0/24 \[[%3c%3c]]@@%0a> @@ config name-server 203.0.113.5 \[[%3c%3c]]@@%0a> @@ tag "ROADW"[[%3c%3c]]@@%0a> %0a> %0a> Now, all is ready to start our VPN iked,just run the following commands[[%3c%3c]]%0a> @@$ doas chmod 0600 /etc/iked.conf [[%3c%3c]]@@%0a> @@$ doas rcctl enable iked[[%3c%3c]]@@%0a> @@$ doas rcctl start iked[[%3c%3c]]@@%0a> %0a> %0a> [+TROUBLESHOOTING+][[%3c%3c]]%0a> Maybe we couldnt get it running, so we need to start the service in debug mode, just ignore the prior commands and run the following line[[%3c%3c]]%0a> @@$doas iked -dvvv@@[[%3c%3c]]%0a> this will show all the info you need in order the fix the issue%0a\ No newline at end of file%0a host:1628354928=125.231.70.149 author:1620873984=st13g diff:1620873984:1620873920:=86,88c86,88%0a%3c @@$ curl -L -O https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts@@[[%3c%3c]]%0a%3c %0a%3c We need to reformat this hosts file:[[%3c%3c]]%0a---%0a> @@$ curl -L -O https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts@@[[>>]]%0a> %0a> We need to reformat this hosts file:[[>>]]%0a93,94c93,94%0a%3c @][[%3c%3c]]%0a%3c Manually check for malformed entries, then put this into /var/unbound/etc/unbound.conf.[[%3c%3c]]%0a---%0a> @][[>>]]%0a> Manually check for malformed entries, then put this into /var/unbound/etc/unbound.conf.[[>>]]%0a host:1620873984=200.121.220.221 author:1620873920=st13g diff:1620873920:1620873456:=58,99c58,59%0a%3c [[%3c%3c]]%0a%3c We will use unbound as the caching DNS resolver. Our servers have static IP addresses so we do not use DHCP (if DHCP is used, you must ignore the provided name servers):[[%3c%3c]]%0a%3c @@/etc/resolv.conf:@@%0a%3c %0a%3c nameserver 127.0.0.1%0a%3c lookup file bind%0a%3c /etc/resolv.conf.tail:%0a%3c %0a%3c lookup file bind%0a%3c @@/var/unbound/etc/unbound.conf:@@%0a%3c [@%0a%3c outgoing-interface: 203.0.113.5%0a%3c access-control: 10.0.0.0/8 allow%0a%3c ...%0a%3c %0a%3c local-zone: "www.domain.com" static%0a%3c %0a%3c ...%0a%3c %0a%3c forward-zone:%0a%3c forward-addr: 185.121.177.177%0a%3c forward-addr: 169.239.202.202%0a%3c %0a%3c ...%0a%3c @]%0a%3c %0a%3c The local-zone lines are only needed if you want to filter/censor domains. You can obtain a list of domains to block using StevenBlack's hosts files. I used the unified hosts + porn + gambling filter to block unwanted content.[[>>]]%0a%3c %0a%3c @@$ curl -L -O https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts@@[[>>]]%0a%3c %0a%3c We need to reformat this hosts file:[[>>]]%0a%3c [@%0a%3c $ awk '!/^ *#/ && NF' hosts > newhosts # taken from stevenblack's list%0a%3c $ sed 's/0\.0\.0\.0 \([^#]*\).*$/local-zone: "\1" static/' newhosts > newhosts2%0a%3c $ sed 's/ "/"/' newhosts2 > newhosts3%0a%3c @][[>>]]%0a%3c Manually check for malformed entries, then put this into /var/unbound/etc/unbound.conf.[[>>]]%0a%3c %0a%3c %0a%3c %0a%3c %0a%3c Till now we have configured the pf ruleset, the forwarding features, the DNS resolver and we have the certificates, now we need to configure the IKED itself.%0a---%0a> %0a> Till now we have configured the pf ruleset, the forwarding features and we have the certificates, now we need to configure the IKED itself.%0a host:1620873920=200.121.220.221 author:1620873456=st13g diff:1620873456:1620873434:=80c80%0a%3c [+TROUBLESHOOTING+][[%3c%3c]]%0a---%0a> [+TROUBLESHOOTING+]%0a host:1620873456=200.121.220.221 author:1620873434=st13g diff:1620873434:1620872105:=32,83c32,73%0a%3c At this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. In the part %3cserver1.domain>, replace it with your own domain. From the command line just run:%0a%3c %0a%3c %0a%3c @@$doas ikectl ca vpn create[[%3c%3c]]@@%0a%3c @@$doas ikectl ca vpn install[[%3c%3c]]@@%0a%3c @@certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt[[%3c%3c]]@@%0a%3c @@CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl[[%3c%3c]]@@%0a%3c @@$doas ikectl ca vpn certificate server1.domain create[[%3c%3c]]@@%0a%3c @@$doas ikectl ca vpn certificate server1.domain install[[%3c%3c]]@@%0a%3c @@writing RSA key[[%3c%3c]]@@%0a%3c %0a%3c the file we need to export to the clients will be @@/etc/iked/ca/ca.crt@@ we can do that, using scp to copy the file from our server to our local computer or some other application in your phone, there is no need to install scp,scp use the same credentials that ssh use, you can run the following command[[%3c%3c]]%0a%3c %0a%3c @@$scp %3cuser>@%3cuser>.coconut.ircnow.org:/etc/iked/ca/ca.crt .@@%0a%3c %0a%3c %0a%3c Make sure to enable IP forwarding. you must be asking Why?, let me explain it, if you dont enable this kernel feature, your server will not act as a router,in other words, it cannot forward packages to their destination, your packages will be able to reach the server, but then they will be stuck there, without possibility to get out from there[[%3c%3c]]%0a%3c %0a%3c @@$echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf[[%3c%3c]]@@%0a%3c @@$echo 'net.inet6.ip6.forwarding=1' >> /etc/sysctl.conf[[%3c%3c]]@@%0a%3c @@$echo 'net.inet.ipcomp.enable=1' >> /etc/sysctl.conf [[%3c%3c]]@@ %0a%3c @@$echo 'net.inet.esp.enable=1' >> /etc/sysctl.conf[[%3c%3c]]@@%0a%3c @@$echo 'net.inet.ah.enable=1' >> /etc/sysctl.conf[[%3c%3c]]@@%0a%3c @@$sysctl net.inet.ip.forwarding=1[[%3c%3c]]@@%0a%3c @@$sysctl net.inet6.ip6.forwarding=1[[%3c%3c]]@@%0a%3c %0a%3c %0a%3c Till now we have configured the pf ruleset, the forwarding features and we have the certificates, now we need to configure the IKED itself.%0a%3c Add this to @@/etc/iked.conf@@ (replace 203.0.113.5 with your server's public IP address and vpn.ircnow.org, with your domain):[[%3c%3c]]%0a%3c %0a%3c %0a%3c @@user 'username' 'password'[[%3c%3c]]@@%0a%3c @@ ikev2 'vpn.ircnow.org' passive esp \[[%3c%3c]]@@%0a%3c @@ from 0.0.0.0/0 to 0.0.0.0/0 \[[%3c%3c]]@@%0a%3c @@ local 203.0.113.5 peer any \[[%3c%3c]]@@%0a%3c @@ srcid vpn.ircnow.org \[[%3c%3c]]@@%0a%3c @@ eap "mschap-v2" \[[%3c%3c]]@@%0a%3c @@ config address 10.0.5.0/24 \[[%3c%3c]]@@%0a%3c @@ config name-server 203.0.113.5 \[[%3c%3c]]@@%0a%3c @@ tag "ROADW"[[%3c%3c]]@@%0a%3c %0a%3c %0a%3c Now, all is ready to start our VPN iked,just run the following commands[[%3c%3c]]%0a%3c @@$ doas chmod 0600 /etc/iked.conf [[%3c%3c]]@@%0a%3c @@$ doas rcctl enable iked[[%3c%3c]]@@%0a%3c @@$ doas rcctl start iked[[%3c%3c]]@@%0a%3c %0a%3c %0a%3c [+TROUBLESHOOTING+]%0a%3c Maybe we couldnt get it running, so we need to start the service in debug mode, just ignore the prior commands and run the following line[[%3c%3c]]%0a%3c @@$doas iked -dvvv@@[[%3c%3c]]%0a%3c this will show all the info you need in order the fix the issue%0a\ No newline at end of file%0a---%0a> At this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. From the command line, run:%0a> %0a> %0a> $doas ikectl ca vpn create[[%3c%3c]]%0a> $doas ikectl ca vpn install[[%3c%3c]]%0a> certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt[[%3c%3c]]%0a> CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl[[%3c%3c]]%0a> $doas ikectl ca vpn certificate server1.domain create[[%3c%3c]]%0a> $doas ikectl ca vpn certificate server1.domain install[[%3c%3c]]%0a> writing RSA key[[%3c%3c]]%0a> %0a> the file we need to export will be /etc/iked/ca/ca.crt[[%3c%3c]]%0a> %0a> %0a> Make sure to enable IP forwarding[[%3c%3c]]%0a> %0a> $echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf[[%3c%3c]]%0a> $echo 'net.inet6.ip6.forwarding=1' >> /etc/sysctl.conf[[%3c%3c]]%0a> $echo 'net.inet.ipcomp.enable=1' >> /etc/sysctl.conf [[%3c%3c]] %0a> $echo 'net.inet.esp.enable=1' >> /etc/sysctl.conf[[%3c%3c]]%0a> $echo 'net.inet.ah.enable=1' >> /etc/sysctl.conf[[%3c%3c]]%0a> $sysctl net.inet.ip.forwarding=1[[%3c%3c]]%0a> $sysctl net.inet6.ip6.forwarding=1[[%3c%3c]]%0a> %0a> Add this to /etc/iked.conf (replace 203.0.113.5 with your server's public IP address and vpn.ircnow.org, with your domain):[[%3c%3c]]%0a> %0a> %0a> user 'username' 'password'[[%3c%3c]]%0a> ikev2 'vpn.ircnow.org' passive esp \[[%3c%3c]]%0a> from 0.0.0.0/0 to 0.0.0.0/0 \[[%3c%3c]]%0a> local 203.0.113.5 peer any \[[%3c%3c]]%0a> srcid vpn.ircnow.org \[[%3c%3c]]%0a> eap "mschap-v2" \[[%3c%3c]]%0a> config address 10.0.5.0/24 \[[%3c%3c]]%0a> config name-server 203.0.113.5 \[[%3c%3c]]%0a> tag "ROADW"[[%3c%3c]]%0a> %0a> %0a> To start iked,[[%3c%3c]]%0a> $ doas chmod 0600 /etc/iked.conf [[%3c%3c]]%0a> $ doas rcctl enable iked[[%3c%3c]]%0a> $ doas rcctl start iked[[%3c%3c]]%0a\ No newline at end of file%0a host:1620873434=200.121.220.221 author:1620872105=st13g diff:1620872105:1620871815:=18,30c18,29%0a%3c Add this to /etc/pf.conf and make sure that $ext_if match your output interface. If you dont know what is your $ext_if, just issue the following command in your terminal @@$coconut ifconfig@@ and you'll see the interfaces, your $ext_if is the one who has an public IP address, for example it could be vio0.[[%3c%3c]][[%3c%3c]]%0a%3c add the following lines to the file%0a%3c @@/etc/pf.conf@@ %0a%3c %0a%3c @@pass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED[[%3c%3c]]@@%0a%3c @@pass in inet proto esp tag IKED[[%3c%3c]]@@%0a%3c @@pass on enc0 inet tagged ROADW[[%3c%3c]]@@%0a%3c @@match out on $ext_if inet tagged ROADW nat-to $ext_if[[%3c%3c]]@@%0a%3c @@match in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53[[%3c%3c]]@@%0a%3c %0a%3c Then in order to update the ruleset or apply the changes, we need to reload pf, we could do that with the following line:%0a%3c %0a%3c @@$ doas pfctl -f /etc/pf.conf [[%3c%3c]]@@%0a---%0a> Add this to /etc/pf.conf and make sure that $ext_if match your output interface. If you dont know what is your $ext_if, just issue the following command in your terminal @@$coconut ifconfig@@ and you'll see the interfaces, your $ext_if is the one who has an public IP address, for example it could be vio0.[[%3c%3c]]%0a> @@/etc/pf.conf@@ add this lines to the file%0a> @@%0a> pass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED[[%3c%3c]]%0a> pass in inet proto esp tag IKED[[%3c%3c]]%0a> pass on enc0 inet tagged ROADW[[%3c%3c]]%0a> match out on $ext_if inet tagged ROADW nat-to $ext_if[[%3c%3c]]%0a> match in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53[[%3c%3c]]%0a> @@%0a> To reload the new pf ruleset:%0a> %0a> $ doas pfctl -f /etc/pf.conf [[%3c%3c]]%0a host:1620872105=200.121.220.221 author:1620871815=st13g diff:1620871815:1620871303:=15,20c15,20%0a%3c [+SETTING UP IKED - (SERVER-SIDE)+]%0a%3c %0a%3c First we need to add some rules to our pf filters in order to allow IKED, isakmp, ipsec packages pass.%0a%3c Add this to /etc/pf.conf and make sure that $ext_if match your output interface. If you dont know what is your $ext_if, just issue the following command in your terminal @@$coconut ifconfig@@ and you'll see the interfaces, your $ext_if is the one who has an public IP address, for example it could be vio0.[[%3c%3c]]%0a%3c @@/etc/pf.conf@@ add this lines to the file%0a%3c @@%0a---%0a> [+SETTING UP VPN SERVER IKED+]%0a> %0a> %0a> %0a> Add this to /etc/pf.conf and make sure that $ext_if match your output interface%0a> %0a26c26%0a%3c @@%0a---%0a> %0a host:1620871815=200.121.220.221 author:1620871303=st13g diff:1620871303:1620870974:=1,4c1,4%0a%3c [+IKED+]%0a%3c %0a%3c OpenIKED is a free implementation of IKEv2 protocol which enable us to create VPNs in openBSD. OpenIKED is developed as part of the OpenBSD Project in that way comes with the OS, there is no need to install it.%0a%3c %0a---%0a> IKED%0a> %0a> OpenIKED is a free implementation of IKEv2 protocol which enable us to create a VPNs in openBSD. OpenIKED is developed as part of the OpenBSD Project in that way comes with the OS, there is no need to install it.%0a> %0a7,16c7,14%0a%3c * Lean%0a%3c * Clean%0a%3c * Secure%0a%3c * Interoperable%0a%3c * Configurable%0a%3c %0a%3c Now, we'll set up the VPN, both on the server-side and on the client-side%0a%3c %0a%3c [+SETTING UP VPN SERVER IKED+]%0a%3c %0a---%0a> # Lean%0a> # Clean%0a> # Secure%0a> # Interoperable%0a> # Configurable%0a> %0a> %0a> SETTING UP VPN SERVER IKED%0a host:1620871303=200.121.220.221 author:1620870974=st13g diff:1620870974:1618777673:=1,13d0%0a%3c IKED%0a%3c %0a%3c OpenIKED is a free implementation of IKEv2 protocol which enable us to create a VPNs in openBSD. OpenIKED is developed as part of the OpenBSD Project in that way comes with the OS, there is no need to install it.%0a%3c %0a%3c OpenIKED focuses mainly:%0a%3c %0a%3c # Lean%0a%3c # Clean%0a%3c # Secure%0a%3c # Interoperable%0a%3c # Configurable%0a%3c %0a%3c %0a host:1620870974=200.121.220.221 author:1618777673=st13g diff:1618777673:1618777639:= host:1618777673=190.42.16.42 author:1618777639=st13g diff:1618777639:1618777559:=6,11c6,11%0a%3c pass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED[[%3c%3c]]%0a%3c pass in inet proto esp tag IKED[[%3c%3c]]%0a%3c pass on enc0 inet tagged ROADW[[%3c%3c]]%0a%3c match out on $ext_if inet tagged ROADW nat-to $ext_if[[%3c%3c]]%0a%3c match in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53[[%3c%3c]]%0a%3c %0a---%0a> pass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED%0a> pass in inet proto esp tag IKED%0a> pass on enc0 inet tagged ROADW%0a> match out on $ext_if inet tagged ROADW nat-to $ext_if%0a> match in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53%0a> %0a14,15c14,15%0a%3c $ doas pfctl -f /etc/pf.conf [[%3c%3c]]%0a%3c %0a---%0a> $ doas pfctl -f /etc/pf.conf %0a> %0a19,31c19,31%0a%3c $doas ikectl ca vpn create[[%3c%3c]]%0a%3c $doas ikectl ca vpn install[[%3c%3c]]%0a%3c certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt[[%3c%3c]]%0a%3c CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl[[%3c%3c]]%0a%3c $doas ikectl ca vpn certificate server1.domain create[[%3c%3c]]%0a%3c $doas ikectl ca vpn certificate server1.domain install[[%3c%3c]]%0a%3c writing RSA key[[%3c%3c]]%0a%3c %0a%3c the file we need to export will be /etc/iked/ca/ca.crt[[%3c%3c]]%0a%3c %0a%3c %0a%3c Make sure to enable IP forwarding[[%3c%3c]]%0a%3c %0a---%0a> # ikectl ca vpn create%0a> # ikectl ca vpn install%0a> certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt%0a> CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl%0a> # ikectl ca vpn certificate server1.domain create%0a> # ikectl ca vpn certificate server1.domain install%0a> writing RSA key%0a> %0a> the file we need to export will be /etc/iked/ca/ca.crt%0a> %0a> %0a> Make sure to enable IP forwarding%0a> %0a40,42c40,42%0a%3c Add this to /etc/iked.conf (replace 203.0.113.5 with your server's public IP address and vpn.ircnow.org, with your domain):[[%3c%3c]]%0a%3c %0a%3c %0a---%0a> Add this to /etc/iked.conf (replace 203.0.113.5 with your server's public IP address and vpn.ircnow.org, with your domain):%0a> %0a> %0a54,57c54,57%0a%3c To start iked,[[%3c%3c]]%0a%3c $ doas chmod 0600 /etc/iked.conf [[%3c%3c]]%0a%3c $ doas rcctl enable iked[[%3c%3c]]%0a%3c $ doas rcctl start iked[[%3c%3c]]%0a\ No newline at end of file%0a---%0a> To start iked,%0a> $ doas chmod 0600 /etc/iked.conf %0a> $ doas rcctl enable iked%0a> $ doas rcctl start iked%0a\ No newline at end of file%0a host:1618777639=190.42.16.42 author:1618777559=st13g diff:1618777559:1618777242:=26,29c26,29%0a%3c %0a%3c the file we need to export will be /etc/iked/ca/ca.crt%0a%3c %0a%3c %0a---%0a> # cp /etc/iked/ca/ca.crt /var/www/htdocs/%0a> %0a> %0a> %0a32,39c32,39%0a%3c $echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf[[%3c%3c]]%0a%3c $echo 'net.inet6.ip6.forwarding=1' >> /etc/sysctl.conf[[%3c%3c]]%0a%3c $echo 'net.inet.ipcomp.enable=1' >> /etc/sysctl.conf [[%3c%3c]] %0a%3c $echo 'net.inet.esp.enable=1' >> /etc/sysctl.conf[[%3c%3c]]%0a%3c $echo 'net.inet.ah.enable=1' >> /etc/sysctl.conf[[%3c%3c]]%0a%3c $sysctl net.inet.ip.forwarding=1[[%3c%3c]]%0a%3c $sysctl net.inet6.ip6.forwarding=1[[%3c%3c]]%0a%3c %0a---%0a> $echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf%0a> $echo 'net.inet6.ip6.forwarding=1' >> /etc/sysctl.conf%0a> $echo 'net.inet.ipcomp.enable=1' >> /etc/sysctl.conf %0a> $echo 'net.inet.esp.enable=1' >> /etc/sysctl.conf%0a> $echo 'net.inet.ah.enable=1' >> /etc/sysctl.conf%0a> $sysctl net.inet.ip.forwarding=1%0a> $sysctl net.inet6.ip6.forwarding=1%0a> %0a43,51c43,51%0a%3c user 'username' 'password'[[%3c%3c]]%0a%3c ikev2 'vpn.ircnow.org' passive esp \[[%3c%3c]]%0a%3c from 0.0.0.0/0 to 0.0.0.0/0 \[[%3c%3c]]%0a%3c local 203.0.113.5 peer any \[[%3c%3c]]%0a%3c srcid vpn.ircnow.org \[[%3c%3c]]%0a%3c eap "mschap-v2" \[[%3c%3c]]%0a%3c config address 10.0.5.0/24 \[[%3c%3c]]%0a%3c config name-server 203.0.113.5 \[[%3c%3c]]%0a%3c tag "ROADW"[[%3c%3c]]%0a---%0a> user 'username' 'password'%0a> ikev2 'vpn.ircnow.org' passive esp \%0a> from 0.0.0.0/0 to 0.0.0.0/0 \%0a> local 203.0.113.5 peer any \%0a> srcid vpn.ircnow.org \%0a> eap "mschap-v2" \%0a> config address 10.0.5.0/24 \%0a> config name-server 203.0.113.5 \%0a> tag "ROADW"%0a host:1618777559=190.42.16.42 author:1618777242=st13g diff:1618777242:1618777176:=32,39c32,39%0a%3c $echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf%0a%3c $echo 'net.inet6.ip6.forwarding=1' >> /etc/sysctl.conf%0a%3c $echo 'net.inet.ipcomp.enable=1' >> /etc/sysctl.conf %0a%3c $echo 'net.inet.esp.enable=1' >> /etc/sysctl.conf%0a%3c $echo 'net.inet.ah.enable=1' >> /etc/sysctl.conf%0a%3c $sysctl net.inet.ip.forwarding=1%0a%3c $sysctl net.inet6.ip6.forwarding=1%0a%3c %0a---%0a> echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf%0a> echo 'net.inet6.ip6.forwarding=1' >> /etc/sysctl.conf%0a> echo 'net.inet.ipcomp.enable=1' >> /etc/sysctl.conf %0a> echo 'net.inet.esp.enable=1' >> /etc/sysctl.conf%0a> echo 'net.inet.ah.enable=1' >> /etc/sysctl.conf%0a> sysctl net.inet.ip.forwarding=1%0a> sysctl net.inet6.ip6.forwarding=1%0a> %0a42d41%0a%3c %0a52d50%0a%3c %0a host:1618777242=190.42.16.42 author:1618777176=st13g diff:1618777176:1618776709:=3,5c3,16%0a%3c %0a%3c Add this to /etc/pf.conf and make sure that $ext_if match your output interface%0a%3c %0a---%0a> Add this to /etc/iked.conf (replace 203.0.113.5 with your server's public IP address):%0a> %0a> user 'username' 'password'%0a> ikev2 'vpn.ircnow.org' passive esp \%0a> from 0.0.0.0/0 to 0.0.0.0/0 \%0a> local 203.0.113.5 peer any \%0a> srcid vpn.ircnow.org \%0a> eap "mschap-v2" \%0a> config address 10.0.5.0/24 \%0a> config name-server 203.0.113.5 \%0a> tag "ROADW"%0a> %0a> Add this to /etc/pf.conf:%0a> %0a28,51c39,46%0a%3c %0a%3c %0a%3c Make sure to enable IP forwarding%0a%3c %0a%3c echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf%0a%3c echo 'net.inet6.ip6.forwarding=1' >> /etc/sysctl.conf%0a%3c echo 'net.inet.ipcomp.enable=1' >> /etc/sysctl.conf %0a%3c echo 'net.inet.esp.enable=1' >> /etc/sysctl.conf%0a%3c echo 'net.inet.ah.enable=1' >> /etc/sysctl.conf%0a%3c sysctl net.inet.ip.forwarding=1%0a%3c sysctl net.inet6.ip6.forwarding=1%0a%3c %0a%3c Add this to /etc/iked.conf (replace 203.0.113.5 with your server's public IP address and vpn.ircnow.org, with your domain):%0a%3c %0a%3c user 'username' 'password'%0a%3c ikev2 'vpn.ircnow.org' passive esp \%0a%3c from 0.0.0.0/0 to 0.0.0.0/0 \%0a%3c local 203.0.113.5 peer any \%0a%3c srcid vpn.ircnow.org \%0a%3c eap "mschap-v2" \%0a%3c config address 10.0.5.0/24 \%0a%3c config name-server 203.0.113.5 \%0a%3c tag "ROADW"%0a%3c %0a---%0a> Does this need to be added to /etc/sysctl.conf:%0a> %0a> %0a> net.inet.ip.forwarding=1%0a> net.inet.ipcomp.enable=1%0a> net.inet.esp.enable=1%0a> net.inet.ah.enable=1%0a> %0a53c48%0a%3c $ doas chmod 0600 /etc/iked.conf %0a---%0a> %0a54a50%0a> $ doas rcctl set iked flags -6%0a host:1618777176=190.42.16.42 author:1618776709=st13g diff:1618776709:1615258936:=1,51c1,25%0a%3c SETTING UP VPN SERVER IKED%0a%3c %0a%3c Add this to /etc/iked.conf (replace 203.0.113.5 with your server's public IP address):%0a%3c %0a%3c user 'username' 'password'%0a%3c ikev2 'vpn.ircnow.org' passive esp \%0a%3c from 0.0.0.0/0 to 0.0.0.0/0 \%0a%3c local 203.0.113.5 peer any \%0a%3c srcid vpn.ircnow.org \%0a%3c eap "mschap-v2" \%0a%3c config address 10.0.5.0/24 \%0a%3c config name-server 203.0.113.5 \%0a%3c tag "ROADW"%0a%3c %0a%3c Add this to /etc/pf.conf:%0a%3c %0a%3c pass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED%0a%3c pass in inet proto esp tag IKED%0a%3c pass on enc0 inet tagged ROADW%0a%3c match out on $ext_if inet tagged ROADW nat-to $ext_if%0a%3c match in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53%0a%3c %0a%3c To reload the new pf ruleset:%0a%3c %0a%3c $ doas pfctl -f /etc/pf.conf %0a%3c %0a%3c At this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. From the command line, run:%0a%3c %0a%3c %0a%3c # ikectl ca vpn create%0a%3c # ikectl ca vpn install%0a%3c certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt%0a%3c CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl%0a%3c # ikectl ca vpn certificate server1.domain create%0a%3c # ikectl ca vpn certificate server1.domain install%0a%3c writing RSA key%0a%3c # cp /etc/iked/ca/ca.crt /var/www/htdocs/%0a%3c %0a%3c Does this need to be added to /etc/sysctl.conf:%0a%3c %0a%3c %0a%3c net.inet.ip.forwarding=1%0a%3c net.inet.ipcomp.enable=1%0a%3c net.inet.esp.enable=1%0a%3c net.inet.ah.enable=1%0a%3c %0a%3c To start iked,%0a%3c %0a%3c $ doas rcctl enable iked%0a%3c $ doas rcctl set iked flags -6%0a%3c $ doas rcctl start iked%0a\ No newline at end of file%0a---%0a> WINDOWS IKED CLIENT CONFIGURATION%0a> %0a> Lauch your Windows Management Console%0a> %0a> Then, in "File" Menu, select "Add or Remove Snap-in", and selesct "Certificates"%0a> %0a> Click "Add"%0a> %0a> Select "Computer Account", next, then select "Local Computer" options, finally click "Finish"%0a> %0a> In the Windows Management Console, under Console Root tree, select Certificates and expand Trusted Root Certification Authorities, and select Certificates%0a> %0a> Now in Action Menu, in the console, select "All Tasks" and click "import", you need to browse, and select your certificate,then click "Next"%0a> %0a> In the dialog box, ensure that Trusted Root Certification Authorities is selected, then "Next" and "Finish"%0a> %0a> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>%0a> %0a> Now open your control panel, select Network and Sharing Center%0a> %0a> click on "Set up a new connection or network" , click on "Connect to a Workplace", then "Use my Internet connection (VPN)"%0a> %0a> in the dialog box, fill the domain name of your VPN, or the ip , in the field "Destination Name" put some description, then click "done"%0a> %0a> Finally in your task bar, inthe icon of your connections, click on it,it should appear the name of your VPN, select it, and click on "connect" , after some seconds, a dialog box should appear, enter your username and password, and now you are finally connected to your VPN.%0a\ No newline at end of file%0a host:1618776709=190.42.16.42 author:1615258936=st13g diff:1615258936:1615256737:=3,25c3%0a%3c Lauch your Windows Management Console%0a%3c %0a%3c Then, in "File" Menu, select "Add or Remove Snap-in", and selesct "Certificates"%0a%3c %0a%3c Click "Add"%0a%3c %0a%3c Select "Computer Account", next, then select "Local Computer" options, finally click "Finish"%0a%3c %0a%3c In the Windows Management Console, under Console Root tree, select Certificates and expand Trusted Root Certification Authorities, and select Certificates%0a%3c %0a%3c Now in Action Menu, in the console, select "All Tasks" and click "import", you need to browse, and select your certificate,then click "Next"%0a%3c %0a%3c In the dialog box, ensure that Trusted Root Certification Authorities is selected, then "Next" and "Finish"%0a%3c %0a%3c >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>%0a%3c %0a%3c Now open your control panel, select Network and Sharing Center%0a%3c %0a%3c click on "Set up a new connection or network" , click on "Connect to a Workplace", then "Use my Internet connection (VPN)"%0a%3c %0a%3c in the dialog box, fill the domain name of your VPN, or the ip , in the field "Destination Name" put some description, then click "done"%0a%3c %0a%3c Finally in your task bar, inthe icon of your connections, click on it,it should appear the name of your VPN, select it, and click on "connect" , after some seconds, a dialog box should appear, enter your username and password, and now you are finally connected to your VPN.%0a\ No newline at end of file%0a---%0a> Lauch your Windows Management Console%0a\ No newline at end of file%0a host:1615258936=190.42.16.35 author:1615256737=st13g diff:1615256737:1615256737:=1,3d0%0a%3c WINDOWS IKED CLIENT CONFIGURATION%0a%3c %0a%3c Lauch your Windows Management Console%0a\ No newline at end of file%0a host:1615256737=190.42.16.35