(:redirect iked/configure:)
Note: this is made for OpenBSD 6.6, it has been not updated for latest version of OpenBSD (which is currently 6.9)
Add this to /etc/iked.conf (replace 192.168.1.1 with your server's public IP address):
user 'username' 'password'
ikev2 'vpn.ircnow.org' passive esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
local 192.168.1.1 peer any \
srcid vpn.ircnow.org \
eap "mschap-v2" \
config address 10.0.5.0/24 \
config name-server 192.168.1.1 \
tag "ROADW"
The 'from' rule allows any user to connect. The name-server provides the name-server that vpn clients will use. So in this example, you must have a valid caching name server running on IP 203.0.113.5. Note that these packets will get tagged as ROADW.
Add this to /etc/pf.conf:
pass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED
pass in inet proto esp tag IKED
pass on enc0 inet tagged ROADW
match out on vio inet tagged ROADW nat-to vio0
match in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53
To reload the new pf ruleset:
$ doas pfctl -f /etc/pf.conf
At this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. From the command line, run:
# ikectl ca vpn create
# ikectl ca vpn install
certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt
CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl
# ikectl ca vpn certificate server1.domain create
# ikectl ca vpn certificate server1.domain install
writing RSA key
# cp /etc/iked/ca/ca.crt /var/www/htdocs/
We will use unbound as the caching DNS resolver. Our servers have static IP addresses so we do not use DHCP (if DHCP is used, you must ignore the provided name servers):
/etc/resolv.conf:
nameserver 127.0.0.1
lookup file bind
/etc/resolv.conf.tail:
lookup file bind
/var/unbound/etc/unbound.conf:
outgoing-interface: 203.0.113.5
access-control: 10.0.0.0/8 allow
...
local-zone: "www.domain.com" static
...
The local-zone lines are only needed if you want to filter/censor domains. You can obtain a list of domains to block using StevenBlack's hosts files. I used the unified hosts + porn + gambling filter to block unwanted content.
$ curl -L -O https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts
We need to reformat this hosts file:
$ awk '!/^ *#/ && NF' hosts > newhosts # taken from stevenblack's list
$ sed 's/0\.0\.0\.0 \([^#]*\).*$/local-zone: "\1" static/' newhosts > newhosts2
$ sed 's/ "/"/' newhosts2 > newhosts3
Manually check for malformed entries, then put this into /var/unbound/etc/unbound.conf.
Does this need to be added to /etc/sysctl.conf:
net.inet.ip.forwarding=1
net.inet.ipcomp.enable=1
To start iked,
$ doas rcctl enable iked
$ doas rcctl start iked
To turn on debugging, replace the last step with:
$ doas iked -dv
Note: You may consider using blacklists from here:
https://dsi.ut-capitole.fr/blacklists/index_en.php
https://github.com/4skinSkywalker/anti-porn-hosts-file/blob/master/HOSTS.txt
https://mirror1.malwaredomains.com/files/justdomains https://blocklist.site/app/dl/piracy https://blocklist.site/app/dl/torrent https://mirror1.malwaredomains.com/files/justdomains https://github.com/mmotti/pihole-regex/blob/master/regex.list https://blocklist.site/app/dl/porn