On Mon, Apr 29, 2024 at 01:47:45AM +0200, Odd Martin Baanrud said:
I’m planning to set up a VPN on my router with iked(8). The first goal is to have my Macbook and iPhone connected, both to route the traffic thrugh my router at home, and to get access to the services running on a machine behind the router.
I've been doing this for the better part of a decade, it works well. I have some information here:
https://www.going-flying.com/blog/protecting-my-macos-and-ios-devices-with-an-openbsd-vpn.html
In my case, I guess X.509 is the way to go regarding authentication. The FAQ tells how to create the nececery stuff, so that’s ok. But what kind of domain to use for the file names?
I use my internal network domain names. It doesn't really matter as long as both sides agree and the cert validates to a trusted root.
Can the created client X.509 bundle be used directly on iPhone and Mac?
I create a profile that installs the CA chain which I use on my macOS and iOS devices. I then create a per-device profile with the specific
VPN configuration for that device, including the IDs and device cert/key pair. You may need to export the generated cert and key as a PKCS12 bundle if you are going to do that.
Regarding PF: Now I have a general match rule for NAT, which NAT’s traffic from all NICs. Is it enough to do NAT for the VPN traffic, or do I need to implement a separate rule for that purpose?
I use a single match rule outbound on the egress interface to enable NAT if the packet is going from my RFC-1918 IP space (including the VPN range) to ! my RFC-1918 IP space.
--Matt -- Please direct replies to the list.
