Hello, I have a semi-working vpn from Windows 10 client to OpenBSD 6.4 running iked using machine certificates authentication method.
When I connect to the VPN, I can ping from Win 10 to the ip address of enc0 on the other side (10.1.0.2). Unbound is listening on that ip address, and DNS queries from my Windows 10 machine get to the unbound and work correctly. Unfortunately, regular web browsing from the Windows 10 PC does not work. It appears the VPN or else my pf rules are not directing the traffic back out of the egress interface, but I can't figure out why. Likewise if I start a ping to a public IP address while the VPN is running, the ping doesn't work. I do have net.inet.ip.forwarding=1 enabled in /etc/sysctl.conf. If I do the same ping without the VPN, it works fine. I have tried a few things as I'm having trouble understanding basic VPN concepts, and therefore I can't seem to understand what might be the cause of the problem. 1. Put a line "from 0.0.0.0/0 to 10.2.0.0/24" into the configuration. 2. Remove the "configure address 10.2.0.1/24" line 3. Various incarnations with/without srcid or "local <server ip> peer any" 4. Turning off Windows firewall 5. Trying to pass more and more traffic through pf 6. Rearranging the match out...nat-to lines at the bottom of pf.conf My iked.conf and pf.conf configurations are down below. Also some info about the vpn ca and certificates--The server cert CN is the server ip. It's also named the server ip. The Windows 10 cert is just named desktop-xxxx and the CN is the same. The CA cert is on the machine store Trusted Auth. The desktop-xxxx cert is on the machine store Personal. Is there anything obviously wrong in the configuration? Can anyone point me in the direction of the mistake? Any help would be greatly appreciated. Thanks in advance. V/r, Bryan # $OpenBSD: iked.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $ # # See iked.conf(5) for syntax and examples. ikev2 "win10" passive esp \ from 10.1.0.0/24 to 10.2.0.0/24 \ local any peer any \ srcid ...OMITTED... \ config address 10.2.0.1/24 \ config name-server 10.1.0.2 \ tag "$name-$id" # $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $ # # See pf.conf(5) and /etc/examples/pf.conf ssh_nets="{ ...OMITTED... }" set skip on { lo0, enc0 } set limit table-entries 400000 # rules for spamd(8) table <spamd-white> persist table <common_white> persist file "/etc/mail/common_domains_white" table <nospamd> persist file "/etc/mail/nospamd" table <bgp-spamd-bypass> persist block drop log all antispoof for egress match in all scrub (no-df max-mss 1440) pass quick inet proto icmp icmp-type { echoreq, unreach } pass in on egress inet proto tcp from $ssh_nets to egress:0 port 22 pass in on egress inet proto udp from any to egress:0 port 53 pass in on egress inet proto tcp from any to egress:0 \ port { 53 80 443 } pass in on egress inet proto tcp from $ssh_nets to egress:0 \ port { 465 587 993 } pass in on egress proto { ah, esp } from any to any pass in on egress proto udp from any to any port { 500, 4500 } pass in on egress inet proto tcp from any to any port smtp \ rdr-to lo0 port spamd pass in on egress inet proto tcp from <nospamd> to any port smtp \ rdr-to lo0 port smtp pass in log on egress inet proto tcp from <spamd-white> to any \ port smtp rdr-to lo0 port smtp pass in log on egress inet proto tcp from <common_white> to any \ port smtp rdr-to lo0 port smtp pass in log quick on egress inet proto tcp from <bgp-spamd-bypass> \ to any port smtp rdr-to lo0 port smtp pass on { vether tap } pass out all match out on egress inet from vether0:network nat-to (egress) match out on egress inet from enc0:network nat-to (egress)