In this tutorial, I’ll show how to create a VPN using OpenBSD
Making a VPN on OpenBSD is very easy.
Within minutes
Consider A and B OpenBSD’s respectively .
Adjust /etc/sysctl.conf on both sides.
net.inet.ip.forwarding=1
net.inet.ah.enable=1
net.inet.esp.enable=1
net.inet.ipcomp.enable=1
Adjust /etc/ipsec.conf of side OpenBSD A
# cat /etc/ipsec.conf
local_ip="172.16.123.1"
local_network="192.168.20.0/24"
remote_ip="172.16.123.2"
remote_network="192.168.40.0/24"
ike esp from $local_network to $remote_network peer $remote_ip
ike esp from $local_ip to $remote_network peer $remote_ip
ike esp from $local_ip to $remote_ip
Adjust /etc/ipsec.conf of side OpenBSD B
# cat /etc/ipsec.conf
local_ip="172.16.123.2"
local_network="192.168.40.0/24"
remote_ip="172.16.123.1"
remote_network="192.168.20.0/24"
ike passive esp from $local_network to $remote_network peer $remote_ip
ike passive esp from $local_ip to $remote_network peer $remote_ip
ike passive esp from $local_ip to $remote_ip
Adjust /etc/pf.conf of both OpenBSD’s ( I will assume that you have a PF with POLICY block all )
set skip on { lo enc0 }
# VPN
pass in log on $ext_if proto esp from $remote_gw to $ext_if
pass out log on $ext_if proto esp from $ext_if to $remote_gw
pass in log on $ext_if proto udp from $remote_gw to $ext_if port {isakmp, ipsec-nat-t}
pass out log on $ext_if proto udp from $ext_if to $remote_gw port {isakmp, ipsec-nat-t}
pass in log on enc0 from $remote_nets to $int_if:network keep state (if-bound)
pass out log on enc0 from $int_if:network to $remote_nets keep state (if-bound)
Copy isakmpd keys of both OpenBSD’s
On OpenBSD A, copy /etc/isakmpd/local.pub from OpenBSD B into /etc/isakmpd/pubkeys/ipv4/172.16.123.2
# scp 172.16.123.2:/etc/isakmpd/local.pub /etc/isakmpd/pubkeys/ipv4/172.16.123.2
On OpenBSD B, copy /etc/isakmpd/local.pub from OpenBSD A into /etc/isakmpd/pubkeys/ipv4/172.16.123.1
# scp 172.16.123.1:/etc/isakmpd/local.pub /etc/isakmpd/pubkeys/ipv4/172.16.123.1
Test your ipsec.conf
# ipsecctl -n -f /etc/ipsec.conf
Do this on both sides
Now its time to run VPN
In both sides execute
# isakmpd -K ; ipsecctl -f /etc/ipsec.conf
Test it:
On one of sides do:
# tcpdump -ni enc0
On another side do:
# ping 172.16.123.2
Assume that tcpdump are running on side B and ping was executed on side A
Start Automaticaly after reboot
On side A,
do
# echo ‘!route add -net 192.168.40.0/24 172.16.123.2’ >> /etc/hostname.yourEXT_IF
On side B,
do
# echo ‘!route add -net 192.168.20.0/24 172.16.123.1’ >> /etc/hostname.yourEXT_IF
put this on both sides
echo ‘isakmpd=”-K” >> /etc/rc.conf.local
echo ‘ipsec=”YES” >> /etc/rc.conf.local
Reboot and Have Fun with your IPSEC VPN RUNNING UNDER OpenBSD