Building VPN’s with OpenBSD and IPSEC

In this tutorial, I’ll show how to create a VPN using OpenBSD
Making a VPN on OpenBSD is very easy.
Within minutes

Follow the scenario:

Consider A and B OpenBSD’s respectively .

Adjust /etc/sysctl.conf on both sides.


net.inet.ip.forwarding=1
net.inet.ah.enable=1
net.inet.esp.enable=1
net.inet.ipcomp.enable=1

Adjust /etc/ipsec.conf of side OpenBSD A

# cat /etc/ipsec.conf

local_ip="172.16.123.1"
local_network="192.168.20.0/24"
remote_ip="172.16.123.2"
remote_network="192.168.40.0/24"

ike esp from $local_network to $remote_network peer $remote_ip
ike esp from $local_ip to $remote_network peer $remote_ip
ike esp from $local_ip to $remote_ip

Adjust /etc/ipsec.conf of side OpenBSD B

# cat /etc/ipsec.conf

local_ip="172.16.123.2"
local_network="192.168.40.0/24"
remote_ip="172.16.123.1"
remote_network="192.168.20.0/24"

ike passive esp from $local_network to $remote_network peer $remote_ip
ike passive esp from $local_ip to $remote_network peer $remote_ip
ike passive esp from $local_ip to $remote_ip

Adjust /etc/pf.conf of both OpenBSD’s ( I will assume that you have a PF with POLICY block all )

set skip on { lo enc0 }

# VPN
pass in log on $ext_if proto esp from $remote_gw to $ext_if
pass out log on $ext_if proto esp from $ext_if to $remote_gw

pass in log on $ext_if proto udp from $remote_gw to $ext_if port {isakmp, ipsec-nat-t}
pass out log on $ext_if proto udp from $ext_if to $remote_gw port {isakmp, ipsec-nat-t}

pass in log on enc0 from $remote_nets to $int_if:network keep state (if-bound)
pass out log on enc0 from $int_if:network to $remote_nets keep state (if-bound)

Copy isakmpd keys of both OpenBSD’s

On OpenBSD A, copy /etc/isakmpd/local.pub from OpenBSD B into /etc/isakmpd/pubkeys/ipv4/172.16.123.2
# scp 172.16.123.2:/etc/isakmpd/local.pub /etc/isakmpd/pubkeys/ipv4/172.16.123.2

On OpenBSD B, copy /etc/isakmpd/local.pub from OpenBSD A into /etc/isakmpd/pubkeys/ipv4/172.16.123.1
# scp 172.16.123.1:/etc/isakmpd/local.pub /etc/isakmpd/pubkeys/ipv4/172.16.123.1

Test your ipsec.conf
# ipsecctl -n -f /etc/ipsec.conf
Do this on both sides

Now its time to run VPN

In both sides execute

# isakmpd -K ; ipsecctl -f /etc/ipsec.conf

Test it:

On one of sides do:

# tcpdump -ni enc0

On another side do:

# ping 172.16.123.2

Assume that tcpdump are running on side B and ping was executed on side A

Start Automaticaly after reboot

On side A,
do
# echo ‘!route add -net 192.168.40.0/24 172.16.123.2’ >> /etc/hostname.yourEXT_IF

On side B,
do
# echo ‘!route add -net 192.168.20.0/24 172.16.123.1’ >> /etc/hostname.yourEXT_IF

put this on both sides

echo ‘isakmpd=”-K” >> /etc/rc.conf.local
echo ‘ipsec=”YES” >> /etc/rc.conf.local

Reboot and Have Fun with your IPSEC VPN RUNNING UNDER OpenBSD

This entry was posted in OpenBSD and tagged , , , . Bookmark the permalink.