OpenBSD IKEv2 VPN -- default split tunnel / some hosts full tunnel

Thu, 12 Dec 2024 15:17:44 -0800 

Hi,

I'm trying to setup a pair of OpenBSD machines to handle their respective home 
networks and
create a IKEv2 VPN tunnel between them. If I call one side _home_ and one side 
_remote_ I
think that defines things. The main function of the tunnel is to allow stuff on 
the _remote_
network to access services in the _home_ network. As a second function, I want 
a handful of
hosts in the _remote_ network to consume the internet via the _home_ network's 
ISP. My
`iked.conf` files look like this:

    ```
    ## Home: (responder)
    
    home_network="192.168.1.0/24"
    remote_network="192.168.2.0/24" 
    
    ikev2 passive esp \
        from any to dynamic \
        from $home_network to $remote_network \
        ...
        config address 192.168.128.16/32 \
        config access-server 192.168.128.1
        

    ## ## Remote: (Initiator)
    ## ikev2 passive esp \
    ##     from dynamic to any\
    ##     from $remote_network to $home_network \
    ##     ...
    ##     request address any \
    ##     iface enc0
    ```

I've shown both configs here. The _remote_ config is commented out. The 
otherside
`iked.conf` is vice-versa.

This gets the tunnel up and running. All works as I expect it to and when I do 
this:

    ```
    # traceroute -s 192.168.128.16 8.8.8.8
    ...
    ```
    
The traceroute goes over the VPN tunner first as I expect it to. I figured, 
**incorrectly**
that at this point it would be just a matter of some _pf_ magic to get a host 
on the remote
side NATted to tunnel address such that it's packets would traverse the tunnel 
and then
shuffle off to their designed destination. I've tried this:

    ```
    ## pf.conf
    
    ext_if=em0
    vpn_if=enc0

    match out on $ext_if from !($ext_if) to any tag "USE-PLAIN-NAT"
    match out on $vpn_if from <full-vpn> to any tag "USE-FULL-VPN"
    
    match out on $ext_if tagged "USE-PLAIN-NAT" nat-to ($ext_if)
    
    ...
    
    match out on $vpn_if tagged "USE-FULL-VPN" nat-to ($vpn_if)
    
    ```

But I get no joy. At best, the packets which should be tagged "USE-FULL-VPN" 
get natted and
emitted out of my "$ext_if". I'm clearly missing something.

I'm referencing these links in the web:

* https://www.openbsd.org/faq/faq17.html
* https://man.openbsd.org/iked.conf

As my gotos but I'm clearly missing some which may be really obvious. As an 
aside, In a VPN
situation like this, how does the kernel make decisions about where the packets 
pass
through? 


Thanks!

-- 
Chris

      __o          "All I was trying to do was get home from work."
    _`\<,_           -Rosa Parks
___(*)/_(*)____.___o____..___..o...________ooO..._____________________
Christopher Sean Hilton                    [chris/at/vindaloo/dot/com]

Reply via email to