Building Ikev2 road warrior VPN for IOS9 with OpenBSD and DNSCRYPT

Howdy ,

In this tutorial, hope help you guys how to configure IKEv2 VPN using IOS9 ( iphone ) and OpenBSD.

OpenBSD-59-amd64

# cat /etc/iked.conf

ikev2 "ios9" passive esp from 0.0.0.0/0 to 192.168.1.0/24 \
 local 7.7.7.7 peer any \
 ikesa enc aes-256 auth hmac-sha2-256 group modp2048 \
 childsa enc aes-256 auth hmac-sha2-256 group modp2048 \
 psk "YOURPSK" config address 192.168.1.0/24 \
 config name-server 192.168.1.1 config access-server 192.168.1.1
# chmod 700 /etc/iked.conf
# rcctl enable iked
# echo 'inet 192.168.1.1 255.255.255.0 192.168.1.255' > /etc/hostname.vether0
# sh /etc/netstart vether0
  • 7.7.7.7 is an external ip_address

Let’s configure unbound for DNS CACHE and Forward requests to DNSCRYPT.

# rcctl enable unbound
# vi /var/unbound/etc/unbound.conf

Something like this should work for most setups:

server:
	interface: 192.168.1.1
	interface: 127.0.0.1
	access-control: 192.168.1.0/24 allow
	do-not-query-localhost: no
	hide-identity: yes
	hide-version: yes

forward-zone:
        name: "."
        forward-addr: 127.0.0.1@40
# export PKG_PATH=http://ftp.openbsd.org/pub/OpenBSD/5.9/packages/amd64
# pkg_add dnscrypt-proxy
# rcctl enable dnscrypt_proxy
# rcctl set dnscrypt_proxy flags -E -m 1 -R cisco -a 127.0.0.1:40
  • Replace cisco with an upstream resolver of your choice. The package includes a list of servers in the /usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv file.

 

 

 

 

This entry was posted in OpenBSD and tagged , , , , . Bookmark the permalink.