On 2014-07-23 20:30, Gordon Turner wrote:
Hey all,
Based on the feedback from Daniel and others, I have successfully
connected to my OpenBSD instance running behind my router / firewall
from an iOS and OSX client on the Internet. (Updated instructions
below.)
The one issue that I have is that requests to the local private
network are being lost. My Packet Filter kung fu is a little rusty,
the only entries in the pf.conf at the moment are:
Looking for some help with finishing this last piece, I am no longer
sure if it a pf issue, it might be a default route problem.
From a client connecting successfully, I can ping the 10.0.0.1 end point
on the OpenBSD box.
But any attempt to reach the 192.168.2.0/24 network fails.
The routing table looks like:
```
$ netstat -rn -f inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio
Iface
default 192.168.2.1 UGS 3 99 - 8
vio0
10.0.0.89 10.0.0.1 UH 0 0 - 4
pppx0
127/8 127.0.0.1 UGRS 0 0 33144 8
lo0
127.0.0.1 127.0.0.1 UH 1 0 33144 4
lo0
192.168.2/24 link#1 UC 2 0 - 4
vio0
192.168.2.1 00:25:9c:28:2d:4b UHLc 1 159 - 4
vio0
192.168.2.140 7c:d1:c3:e9:68:e9 UHLc 1 228 - 4
vio0
224/4 127.0.0.1 URS 0 0 33144 8
lo0
```
What route should I be adding, if any, to successfully reach the
192.168.2.0/24 network (and the the Internet?) from the VPN client?
Thanks!
Gord.
Current configuration details, slightly updated
--
VPN OpenBSD L2TP-IPSEC
======================
Description
-----------
- Using OpenBSD 5.5 as an VPN end point for iOS 7.0 and OSX 10.9
clients.
- Support for iOS, preferably native VPN client
- Support for OSX, preferably native VPN client
- VPN endpoint running on an internal server.
- Forwarding appropriate ports from a router.
- Use npppd, IPsec and Packet Filter (pf).
NAT and Port Forwarding
-----------------------
- The VPN end point is behind a NATed firewall and the following ports
are forwarded:
UDP 500 - Internet Key Exchange (IKE)
UDP 1701 - L2TP traffic
UDP 4500 - IPSec Network Address Translation (NAT-T)
npppd Setup
-----------
- npppd is a Point-to-Point Protocol (PPP) and tunneling daemon capable
of L2TP, PPTP, and PPPoE.
- Reference:
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/npppd.8
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/npppd.conf.5
- NOTE:
Private network is 192.168.2.0/24 (192.168.2.0-192.168.2.254)
DNS server / router / fire wall is 192.168.2.1
VPN network is 10.0.0.0/24 (10.0.0.2-10.0.0.254)
VPN network gateway to private network is 10.0.0.1
Using local file authentication
- Example npppd.conf file, `/etc/npppd/npppd.conf`:
```
authentication LOCAL type local {
users-file "/etc/npppd/npppd-users"
}
tunnel L2TP_ipv4 protocol l2tp {
listen on 0.0.0.0
}
ipcp IPCP {
pool-address 10.0.0.2-10.0.0.254
#dns-servers 8.8.8.8
dns-servers 192.168.2.1
}
interface pppx0 address 10.0.0.1 ipcp IPCP
bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx0
```
- NOTE:
The `pool-address` values should be a block of addresses in a
different subnet of the internal network.
The `dns-servers 8.8.8.8` is Google's public dns, local local DNS
servers should be used if available.
- Example npppd-users file, `/etc/npppd/npppd-users`:
```
jtest: \
:password=SEEKRIT: \
:framed-ip-address=10.0.0.100:
```
- NOTE:
Replace `SEEKRIT` with your password.
The `framed-ip-address` value, if used, should be in the
`pool-address` block from `/etc/npppd/npppd.conf`.
IPsec Setup
-----------
- IPsec is a pair of protocols, Encapsulating Security Payload (ESP) and
Authentication Header (AH), which provide security services for IP
datagrams.
- Reference:
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/ipsec.4
- Example ipsec.conf file, `/etc/ipsec.conf`:
```
public_ip = "XXX.XXX.XXX.XXX"
ike passive esp transport \
proto udp from $public_ip to any port 1701 \
main auth "hmac-sha1" enc "aes" group modp1024 \
quick auth "hmac-sha1" enc "aes" \
psk "SEEKRIT"
```
- NOTE:
Replace XXX.XXX.XXX.XXX with external public ip on the Internet.
Replace SEEKRIT with your password.
Packet Filter Setup
-------------------
- Packet Filter is OpenBSD's system for filtering TCP/IP traffic and
doing Network Address Translation.
- Reference:
http://www.openbsd.org/faq/pf/
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/pf.4
- Example pf.conf file, `/etc/pf.conf`:
```
set skip on pppx0
pass quick proto { esp, ah } from any to any
pass in quick on egress proto udp from any to any port {500, 4500, 1701}
keep state
pass on enc0 from any to any keep state (if-bound)
```
sysctl Changes
--------------
- Make changes to `/etc/sysctl.conf` and reboot
```
...
# CHANGED
net.inet.ip.forwarding=1
...
# CHANGED
net.pipex.enable=1
...
```
```
sudo reboot
```
Start ipsec and isakmpd at Boot
-------------------------------
- Add following to /etc/rc.conf.local to start isakmpd at boot:
```
isakmpd_flags="-K"
ipsec=YES
npppd_flags=""
```
- Reboot and test.
Monitoring
----------
- Show the pppx0 interface status:
```
sudo ifconfig pppx0
```
- To monitor pflog0 interface:
```
sudo tcpdump -ni pflog0
```
- To monitor enc0 interface:
```
sudo tcpdump -ni enc0
```
- To monitor npppd vpn sessions use npppctl:
```
npppctl session all
```
- To monitor ipsec use ipsecctl:
```
sudo ipsecctl -s all
```
- View sysctl settings:
```
sysctl | grep net.inet.ip.forwarding
sysctl | grep net.pipex.enable
```
References OpenBSD
------------------
https://www.mail-archive.com/misc@openbsd.org/msg127171.html
http://www.slideshare.net/GiovanniBechis/npppd-easy-vpn-with-openbsd
http://undeadly.org/cgi?action=article&sid=20120427125048
http://comments.gmane.org/gmane.os.openbsd.misc/209636
http://stackoverflow.com/questions/14967962/openbsd-ipsec-vpn-not-routing-traffic
http://www.packetmischief.ca/openbsd-ipsec-tunnel-guide/
https://www.mail-archive.com/misc@openbsd.org/msg125930.html
References iOS
--------------
http://support.apple.com/kb/HT1288
