Hey all,
Based on the feedback from Daniel and others, I have successfully
connected to my OpenBSD instance running behind my router / firewall
from an iOS and OSX client on the Internet. (Updated instructions
below.)
The one issue that I have is that requests to the local private network
are being lost. My Packet Filter kung fu is a little rusty, the only
entries in the pf.conf at the moment are:
```
pass quick proto { esp, ah } from any to any
pass in quick on egress proto udp from any to any port {500, 4500, 1701}
keep state
pass on enc0 from any to any keep state (if-bound)
```
I am not sure what device to 'passs in' on at the end of the l2tp /
ipsec to enable nat'ing and accessing internal network resources.
(There was feedback that `pool-address 10.0.0.1-10.0.0.100` and
`:framed-ip-address=10.0.0.10:` had to be a different network then the
private internal network.)
The router / firewall has a working dhcp server running.
```
ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33144
priority: 0
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet 127.0.0.1 netmask 0xff000000
vio0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 52:54:00:9b:3b:bc
priority: 0
groups: egress
media: Ethernet autoselect
status: active
inet6 fe80::5054:ff:fe9b:3bbc%vio0 prefixlen 64 scopeid 0x1
inet 192.168.2.232 netmask 0xffffff00 broadcast 192.168.2.255
enc0: flags=0<>
priority: 0
groups: enc
status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33144
priority: 0
groups: pflog
pppx0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1360
description: gturner
priority: 0
groups: pppx
inet 192.168.2.1 --> 10.0.0.97 netmask 0xffffffff
```
Again, any pointers appreciated.
Gord.
VPN OpenBSD L2TP-IPSEC (mostly working-ish)
===========================================
Requirements
-----------
- Using OpenBSD 5.5 as an VPN end point for iOS 7.0 and OSX 10.9
clients.
- Support for iOS, preferably native VPN client
- Support for OSX, preferably native VPN client
- VPN endpoint running on an internal server.
- Forwarding appropriate ports from a router.
Description
-----------
- Use npppd, IPsec and Packet Filter (pf).
- Configuration files `/etc/npppd/npppd.conf`,
`/etc/npppd/npppd-users`, `/etc/ipsec.conf` and `/etc/pf.conf`.
- Reference:
http://www.slideshare.net/GiovanniBechis/npppd-easy-vpn-with-openbsd
http://undeadly.org/cgi?action=article&sid=20120427125048
http://comments.gmane.org/gmane.os.openbsd.misc/209636
http://stackoverflow.com/questions/14967962/openbsd-ipsec-vpn-not-routing-traffic
http://www.packetmischief.ca/openbsd-ipsec-tunnel-guide/
- Claims to have it working, on internet facing machine:
https://www.mail-archive.com/misc@openbsd.org/msg125930.html
- Reference for supported protocols and authentication methods fo iOS:
http://support.apple.com/kb/HT1288
npppd Setup
-----------
- npppd is a Point-to-Point Protocol (PPP) and tunneling daemon capable
of L2TP, PPTP, and PPPoE.
- Reference:
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/npppd.8?&manpath=OpenBSD-current&sec=8&query=npppd
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/npppd.conf.5?&manpath=OpenBSD-current&sec=5&query=npppd.conf
- NOTE: Private network is 192.168.2.x.
- NOTE: Using local file authentication.
- Example npppd.conf file, `/etc/npppd/npppd.conf`:
```
authentication LOCAL type local {
users-file "/etc/npppd/npppd-users"
}
tunnel L2TP_ipv4 protocol l2tp {
listen on 0.0.0.0
}
ipcp IPCP {
pool-address 10.0.0.1-10.0.0.100
dns-servers 8.8.8.8
}
interface pppx0 address 192.168.2.1 ipcp IPCP
bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx0
```
- NOTE: `pool-address` valus should be a block of addresses in the same
subnet of the internal network.
- NOTE: `dns-servers 8.8.8.8` is Google's public dns, local local DNS
servers should be used if available.
- Example npppd-users file, `/etc/npppd/npppd-users`:
```
jtest: \
:password=SEEKRIT:\
:framed-ip-address=10.0.0.10:
```
- NOTE: Replace `SEEKRIT` with your password.
- NOTE: The `framed-ip-address` value should be in the `pool-address`
block from `/etc/npppd/npppd.conf`.
IPsec Setup
-----------
- IPsec is a pair of protocols, Encapsulating Security Payload (ESP) and
Authentication Header (AH), which provide security services for IP
datagrams.
- Reference:
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/ipsec.4?&manpath=OpenBSD-current&query=ipsec
- NOTE: Private network is 192.168.2.x.
- Example ipsec.conf file, `/etc/ipsec.conf`:
```
public_ip = "192.168.2.2"
ike passive esp transport \
proto udp from $public_ip to any port 1701 \
main auth "hmac-sha1" enc "aes" group modp1024 \
quick auth "hmac-sha1" enc "aes" \
psk "SEEKRIT"
```
- NOTE: Replace `192.168.2.2` with the ip of the server.
- NOTE: Replace SEEKRIT with your password.
Packet Filter Setup
-------------------
- Packet Filter is OpenBSD's system for filtering TCP/IP traffic and
doing Network Address Translation.
- Reference:
http://www.openbsd.org/faq/pf/
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/pf.4?&manpath=OpenBSD-current&arch=amd64&query=pf
- Example pf.conf file, `/etc/pf.conf`:
```
pass quick proto { esp, ah } from any to any
pass in quick on egress proto udp from any to any port {500, 4500, 1701}
keep state
pass on enc0 from any to any keep state (if-bound)
```
sysctl Changes
--------------
- Make changes to `/etc/sysctl.conf` and reboot
```
...
# CHANGED
net.inet.ip.forwarding=1
...
# CHANGED
net.pipex.enable=1
...
```
```
sudo reboot
```
Start ipsec and isakmpd at Boot
-------------------------------
- Add following to /etc/rc.conf.local to start isakmpd at boot:
```
isakmpd_flags="-K"
ipsec=YES
npppd_flags=""
```
- Reboot and test.
NAT and Port Forwarding
-----------------------
- If the VPN end point is behind a NATed firewall the following ports
must be forwarded:
- UDP 500 - Internet Key Exchange (IKE)
- UDP 1701 - L2TP traffic
- UDP 4500 - IPSec Network Address Translation (NAT-T)
Monitoring
----------
- To monitor npppd vpn sessions use npppctl:
```
npppctl session all
```
- Reference:
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/npppctl.8?&manpath=OpenBSD-current&sec=8&query=npppctl
- To monitor ipsec use ipsecctl:
```
sudo ipsecctl -s all
```
