On Thu, Oct 21, 2021 at 10:23:51AM +0200, Johann Belau wrote:
> Dear all,
>
> I am in desperate need of assistance for setting up an IKEv2 VPN tunnel to a
> remote LAN with OpenBSD as my VPN gateway.
>
> A short outline of what I'm trying to achieve:
>
> 1. I have a remote private LAN with Windows Servers and one OpenBSD gateway
> (gateway has a public IP, the rest of the private LAN don't)
> 2. It should be possible to establish an ikev2 VPN tunnel (using iked) to the
> private LAN from Windows / Mac OS X clients (road warriers)
> 3. After establishing VPN connection to OpenBSD VPN gateway it should be
> possible to connect to the Windows Servers in private LAN from Win/Mac
> clients using RDP
> 4. The Windows Servers in the private LAN and the road warriers should be
> able to send traffic to the internet (using unbound for DNS) and be protected
> from incoming malicious traffic using some reasonable pf rule sets
>
> I have tried many things and researched a lot of guides and howtos - but so
> far I failed to produce results
The setup you describe above is fairly straightforward. What dificulties have
you had?
Essentially, at the OpenBSD gateway end, you just need to ensure that you have
appropriate keys in /etc/iked/, and a /etc/iked.conf something like:
ikev2 esp from gateway.vpn.example to client.vpn.example local
gateway.public.fqdn peer any dstid expected.remote.client ecdsa384
Where:
gateway.vpn.example and client.vpn.example are private IP addresses
assigned by you for the vpn endpoints
gateway.public.fqdn is the public IP of the gateway, I.E. where the ESP
packets are sent from
expected.remote.client is the hostname of the remote client.
Since the clients have dynamic IPs that the gateway doesn't know, you want to
leave the gateway set to passive mode waiting for incoming connections, and the
remote peers to active mode.
Note that at some point between OpenBSD 6.8 and OpenBSD 6.9, transport mode was
broken. I know this first hand, because I was the one who reconfigured all of
our transport mode VPNs to use tunnel mode after the upgrade to OpenBSD 6.9. I
haven't checked to see if it has been fixed since. In your application you'll
almost certainly be using tunnel mode anyway.
Some time ago there was also a bug that prevented the keys which are generated
automatically by /etc/rc at first boot from working correctly. Generate new
ECDSA keys manually with something like:
# openssl ecparm -genkey -name secp384r1 -out /etc/iked/private/local.key
# openssl ec -in /etc/iked/private/local.key -pubout -out /etc/iked/local.pub
# chmod 640 /etc/iked/private/local.key
The above should get you started, with IPSEC packets flowing between the
gateway and one client.
