version=pmwiki-2.2.130 ordered=1 urlencoded=1 agent=w3m/0.5.3+git20210102 author=jrmu charset=UTF-8 csum= ctime=1597227135 host=38.87.162.154 name=Openbsd.Iked rev=8 targets= text=(:redirect iked/configure:)%0aNote: this is made for OpenBSD 6.6, it has been not updated for latest version of OpenBSD (which is currently 6.9)%0a%0aAdd this to /etc/iked.conf (replace 192.168.1.1 with your server's public IP address):%0a%0a[@%0auser 'username' 'password'%0aikev2 'vpn.ircnow.org' passive esp \%0a from 0.0.0.0/0 to 0.0.0.0/0 \%0a local 192.168.1.1 peer any \%0a srcid vpn.ircnow.org \%0a eap "mschap-v2" \%0a config address 10.0.5.0/24 \%0a config name-server 192.168.1.1 \%0a tag "ROADW"%0a@]%0a%0aThe 'from' rule allows any user to connect. The name-server provides the name-server that vpn clients will use. So in this example, you must have a valid caching name server running on IP 203.0.113.5. Note that these packets will get tagged as ROADW.%0a%0aAdd this to /etc/pf.conf:%0a%0a[@%0apass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED%0apass in inet proto esp tag IKED%0apass on enc0 inet tagged ROADW%0amatch out on vio inet tagged ROADW nat-to vio0%0amatch in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53%0a@]%0a%0aTo reload the new pf ruleset:%0a%0a[@%0a$ doas pfctl -f /etc/pf.conf %0a@]%0a%0aAt this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. From the command line, run:%0a%0a[@%0a# ikectl ca vpn create%0a# ikectl ca vpn install%0acertificate for CA 'vpn' installed into /etc/iked/ca/ca.crt%0aCRL for CA 'vpn' installed to /etc/iked/crls/ca.crl%0a# ikectl ca vpn certificate server1.domain create%0a# ikectl ca vpn certificate server1.domain install%0awriting RSA key%0a# cp /etc/iked/ca/ca.crt /var/www/htdocs/%0a@]%0a%0aWe will use unbound as the caching DNS resolver. Our servers have static IP addresses so we do not use DHCP (if DHCP is used, you must ignore the provided name servers):%0a%0a/etc/resolv.conf:%0a%0a[@%0anameserver 127.0.0.1%0alookup file bind%0a@]%0a%0a/etc/resolv.conf.tail:%0a%0a[@%0alookup file bind%0a@]%0a%0a/var/unbound/etc/unbound.conf:%0a%0a[@%0aoutgoing-interface: 203.0.113.5%0aaccess-control: 10.0.0.0/8 allow%0a...%0a%0alocal-zone: "www.domain.com" static%0a%0a...%0a@]%0a%0aThe local-zone lines are only needed if you want to filter/censor domains. You can obtain a list of domains to block using [[https://github.com/StevenBlack/hosts|StevenBlack's hosts]] files. I used the [[https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts|unified hosts + porn + gambling]] filter to block unwanted content.%0a%0a[@%0a$ curl -L -O https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts%0a@]%0a%0aWe need to reformat this hosts file:%0a%0a[@%0a$ awk '!/^ *#/ && NF' hosts > newhosts # taken from stevenblack's list%0a$ sed 's/0\.0\.0\.0 \([^#]*\).*$/local-zone: "\1" static/' newhosts > newhosts2%0a$ sed 's/ "/"/' newhosts2 > newhosts3%0a@]%0a%0aManually check for malformed entries, then put this into /var/unbound/etc/unbound.conf.%0a%0aDoes this need to be added to /etc/sysctl.conf:%0a%0a[@%0anet.inet.ip.forwarding=1%0anet.inet.ipcomp.enable=1%0a@]%0a%0a%0aTo start iked,%0a%0a[@%0a$ doas rcctl enable iked%0a$ doas rcctl start iked%0a@]%0a%0aTo turn on debugging, replace the last step with:%0a%0a[@%0a$ doas iked -dv%0a@]%0a%0aNote: You may consider using blacklists from here:%0a[@%0ahttps://dsi.ut-capitole.fr/blacklists/index_en.php%0ahttps://github.com/4skinSkywalker/anti-porn-hosts-file/blob/master/HOSTS.txt%0ahttps://mirror1.malwaredomains.com/files/justdomains https://blocklist.site/app/dl/piracy https://blocklist.site/app/dl/torrent https://mirror1.malwaredomains.com/files/justdomains https://github.com/mmotti/pihole-regex/blob/master/regex.list https://blocklist.site/app/dl/porn%0a@]%0a time=1650431809 author:1650431809=jrmu diff:1650431809:1628989736:=1d0%0a%3c (:redirect iked/configure:)%0a118c117%0a%3c @]%0a---%0a> @]%0a\ No newline at end of file%0a host:1650431809=38.87.162.154 author:1628989736=mkf csum:1628989736=updated, still doesn't work on 6.9 diff:1628989736:1628967008:=95c95,98%0a%3c net.inet.ipcomp.enable=1%0a---%0a> #net.inet.ipcomp.enable=1%0a> #net.inet.esp.enable=1%0a> #these two are enabled?%0a> net.inet.ah.enable=1%0a102a106%0a> $ doas rcctl set iked flags -6%0a109c113%0a%3c $ doas iked -dv%0a---%0a> $ doas iked -6 -dv%0a host:1628989736=198.251.81.133 author:1628967008=mkf diff:1628967008:1628966702:=95,97c95,96%0a%3c #net.inet.ipcomp.enable=1%0a%3c #net.inet.esp.enable=1%0a%3c #these two are enabled?%0a---%0a> net.inet.ipcomp.enable=1%0a> net.inet.esp.enable=1%0a host:1628967008=198.251.81.133 author:1628966702=mkf diff:1628966702:1628960165:=3,4c3,4%0a%3c Add this to /etc/iked.conf (replace 192.168.1.1 with your server's public IP address):%0a%3c %0a---%0a> Add this to /etc/iked.conf (replace 203.0.113.5 with your server's public IP address):%0a> %0a9c9%0a%3c local 192.168.1.1 peer any \%0a---%0a> local 203.0.113.5 peer any \%0a13c13%0a%3c config name-server 192.168.1.1 \%0a---%0a> config name-server 203.0.113.5 \%0a25c25%0a%3c match out on vio inet tagged ROADW nat-to vio0%0a---%0a> match out on $ext_if inet tagged ROADW nat-to $ext_if%0a28a29,30%0a> where ext_if is your external interface.%0a> %0a72a75,80%0a> %0a> forward-zone:%0a> forward-addr: 185.121.177.177%0a> forward-addr: 169.239.202.202%0a> %0a> ...%0a116d123%0a%3c [@%0a120c127,132%0a%3c @]%0a\ No newline at end of file%0a---%0a> %0a> Banned networks:%0a> %0a> irc.p2p-network.net%0a> irc.gazellegames.net%0a> irc.nzbs.in%0a\ No newline at end of file%0a host:1628966702=198.251.81.133 author:1628960165=mkf diff:1628960165:1620873930:=1c1%0a%3c Note: this is made for OpenBSD 6.6, it has been not updated for latest version of OpenBSD (which is currently 6.9)%0a---%0a> ====== OpenBSD 6.6 on amd64 ======%0a host:1628960165=2.178.173.183 author:1620873930=st13g diff:1620873930:1612350661:= host:1620873930=200.121.220.221 author:1612350661=jrmu diff:1612350661:1597227135:=5c5%0a%3c [@%0a---%0a> %3ccode>%0a15,16c15,16%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a21c21%0a%3c [@%0a---%0a> %3ccode>%0a27,28c27,28%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a33c33%0a%3c [@%0a---%0a> %3ccode>%0a35,36c35,36%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a39c39%0a%3c [@%0a---%0a> %3ccode>%0a48,49c48,49%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a54c54%0a%3c [@%0a---%0a> %3ccode>%0a57,58c57,58%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a61c61%0a%3c [@%0a---%0a> %3ccode>%0a63,64c63,64%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a67c67%0a%3c [@%0a---%0a> %3ccode>%0a81,82c81,82%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a85c85%0a%3c [@%0a---%0a> %3ccode>%0a87,88c87,88%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a91c91%0a%3c [@%0a---%0a> %3ccode>%0a95,96c95,96%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a101c101%0a%3c [@%0a---%0a> %3ccode>%0a106,108c106,108%0a%3c @]%0a%3c %0a%3c %0a---%0a> %3c/code>%0a> %0a> %0a111c111%0a%3c [@%0a---%0a> %3ccode>%0a115,116c115,116%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a119c119%0a%3c [@%0a---%0a> %3ccode>%0a121c121%0a%3c @]%0a---%0a> %3c/code>%0a host:1612350661=125.231.56.15 author:1597227135=jrmu diff:1597227135:1597227135:=1,132d0%0a%3c ====== OpenBSD 6.6 on amd64 ======%0a%3c %0a%3c Add this to /etc/iked.conf (replace 203.0.113.5 with your server's public IP address):%0a%3c %0a%3c %3ccode>%0a%3c user 'username' 'password'%0a%3c ikev2 'vpn.ircnow.org' passive esp \%0a%3c from 0.0.0.0/0 to 0.0.0.0/0 \%0a%3c local 203.0.113.5 peer any \%0a%3c srcid vpn.ircnow.org \%0a%3c eap "mschap-v2" \%0a%3c config address 10.0.5.0/24 \%0a%3c config name-server 203.0.113.5 \%0a%3c tag "ROADW"%0a%3c %3c/code>%0a%3c %0a%3c The 'from' rule allows any user to connect. The name-server provides the name-server that vpn clients will use. So in this example, you must have a valid caching name server running on IP 203.0.113.5. Note that these packets will get tagged as ROADW.%0a%3c %0a%3c Add this to /etc/pf.conf:%0a%3c %0a%3c %3ccode>%0a%3c pass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED%0a%3c pass in inet proto esp tag IKED%0a%3c pass on enc0 inet tagged ROADW%0a%3c match out on $ext_if inet tagged ROADW nat-to $ext_if%0a%3c match in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53%0a%3c %3c/code>%0a%3c %0a%3c where ext_if is your external interface.%0a%3c %0a%3c To reload the new pf ruleset:%0a%3c %0a%3c %3ccode>%0a%3c $ doas pfctl -f /etc/pf.conf %0a%3c %3c/code>%0a%3c %0a%3c At this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. From the command line, run:%0a%3c %0a%3c %3ccode>%0a%3c # ikectl ca vpn create%0a%3c # ikectl ca vpn install%0a%3c certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt%0a%3c CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl%0a%3c # ikectl ca vpn certificate server1.domain create%0a%3c # ikectl ca vpn certificate server1.domain install%0a%3c writing RSA key%0a%3c # cp /etc/iked/ca/ca.crt /var/www/htdocs/%0a%3c %3c/code>%0a%3c %0a%3c We will use unbound as the caching DNS resolver. Our servers have static IP addresses so we do not use DHCP (if DHCP is used, you must ignore the provided name servers):%0a%3c %0a%3c /etc/resolv.conf:%0a%3c %0a%3c %3ccode>%0a%3c nameserver 127.0.0.1%0a%3c lookup file bind%0a%3c %3c/code>%0a%3c %0a%3c /etc/resolv.conf.tail:%0a%3c %0a%3c %3ccode>%0a%3c lookup file bind%0a%3c %3c/code>%0a%3c %0a%3c /var/unbound/etc/unbound.conf:%0a%3c %0a%3c %3ccode>%0a%3c outgoing-interface: 203.0.113.5%0a%3c access-control: 10.0.0.0/8 allow%0a%3c ...%0a%3c %0a%3c local-zone: "www.domain.com" static%0a%3c %0a%3c ...%0a%3c %0a%3c forward-zone:%0a%3c forward-addr: 185.121.177.177%0a%3c forward-addr: 169.239.202.202%0a%3c %0a%3c ...%0a%3c %3c/code>%0a%3c %0a%3c The local-zone lines are only needed if you want to filter/censor domains. You can obtain a list of domains to block using [[https://github.com/StevenBlack/hosts|StevenBlack's hosts]] files. I used the [[https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts|unified hosts + porn + gambling]] filter to block unwanted content.%0a%3c %0a%3c %3ccode>%0a%3c $ curl -L -O https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts%0a%3c %3c/code>%0a%3c %0a%3c We need to reformat this hosts file:%0a%3c %0a%3c %3ccode>%0a%3c $ awk '!/^ *#/ && NF' hosts > newhosts # taken from stevenblack's list%0a%3c $ sed 's/0\.0\.0\.0 \([^#]*\).*$/local-zone: "\1" static/' newhosts > newhosts2%0a%3c $ sed 's/ "/"/' newhosts2 > newhosts3%0a%3c %3c/code>%0a%3c %0a%3c Manually check for malformed entries, then put this into /var/unbound/etc/unbound.conf.%0a%3c %0a%3c Does this need to be added to /etc/sysctl.conf:%0a%3c %0a%3c %3ccode>%0a%3c net.inet.ip.forwarding=1%0a%3c net.inet.ipcomp.enable=1%0a%3c net.inet.esp.enable=1%0a%3c net.inet.ah.enable=1%0a%3c %3c/code>%0a%3c %0a%3c %0a%3c To start iked,%0a%3c %0a%3c %3ccode>%0a%3c $ doas rcctl enable iked%0a%3c $ doas rcctl set iked flags -6%0a%3c $ doas rcctl start iked%0a%3c %3c/code>%0a%3c %0a%3c To turn on debugging, replace the last step with:%0a%3c %0a%3c %3ccode>%0a%3c $ doas iked -6 -dv%0a%3c %3c/code>%0a%3c %0a%3c Note: You may consider using blacklists from here:%0a%3c https://dsi.ut-capitole.fr/blacklists/index_en.php%0a%3c https://github.com/4skinSkywalker/anti-porn-hosts-file/blob/master/HOSTS.txt%0a%3c https://mirror1.malwaredomains.com/files/justdomains https://blocklist.site/app/dl/piracy https://blocklist.site/app/dl/torrent https://mirror1.malwaredomains.com/files/justdomains https://github.com/mmotti/pihole-regex/blob/master/regex.list https://blocklist.site/app/dl/porn%0a%3c %0a%3c Banned networks:%0a%3c %0a%3c irc.p2p-network.net%0a%3c irc.gazellegames.net%0a%3c irc.nzbs.in%0a\ No newline at end of file%0a host:1597227135=38.81.163.143