Hi Christopher
I have something similar working with a route based VPN.
A little bit of PF magic seems necessary also.
Route based VPN uses sec interfaces as VPN endpoints.
The endpoints are part of a /30 subnet.
Once the VPN tunnel between the sec endpoints is established, sending
traffic across
the VPN is as easy as adding appropriate routes.
Note that I use PKI for encrypting endpoints. PSK should work also.
The iked.conf currently requires 'from any to any' for this to work.
Regardless of this setting
only routed traffic flows through the tunnel.
Home:
/etc/hostname.sec0
inet 169.254.64.93 255.255.255.252 169.254.64.94
up
!route add 10.0.95.254 169.254.64.94
/etc/iked.conf
ikev2 active esp \
from any to any \
peer <peer address>\
srcid home.example.com \
dstid remote.example.com \
rsa \
iface sec0
Remote:
/etc/hostname.sec0
inet 169.254.64.94 255.255.255.252 169.254.64.93
up
!route add 10.1.0.254 169.254.64.93
ikev2 passive esp \
from any to any \
peer any \
srcid remote.example.com \
dstid home.example.com \
rsa \
iface sec0
To allow a device on the home network to use the remote gateway, I use
PF on the home gateway.
pass in quick on $int_if inet from 10.1.9.200 to any flags S/SA keep
state (pflow) route-to 169.254.64.94
Remember to have a return route and or firewall rule on the remote
gateway.e.g.
route add 10.1.9.200 169.254.64.93
I hope this helps, and is correct :).
Kind regards
Joe
On 13/12/2024 11:01 am, Christopher Sean Hilton wrote:
Hi,
I'm trying to setup a pair of OpenBSD machines to handle their respective home
networks and
create a IKEv2 VPN tunnel between them. If I call one side _home_ and one side
_remote_ I
think that defines things. The main function of the tunnel is to allow stuff on
the _remote_
network to access services in the _home_ network. As a second function, I want
a handful of
hosts in the _remote_ network to consume the internet via the _home_ network's
ISP. My
`iked.conf` files look like this:
```
## Home: (responder)
home_network="192.168.1.0/24"
remote_network="192.168.2.0/24"
ikev2 passive esp \
from any to dynamic \
from $home_network to $remote_network \
...
config address 192.168.128.16/32 \
config access-server 192.168.128.1
## ## Remote: (Initiator)
## ikev2 passive esp \
## from dynamic to any\
## from $remote_network to $home_network \
## ...
## request address any \
## iface enc0
```
I've shown both configs here. The _remote_ config is commented out. The
otherside
`iked.conf` is vice-versa.
This gets the tunnel up and running. All works as I expect it to and when I do
this:
```
# traceroute -s 192.168.128.16 8.8.8.8
...
```
The traceroute goes over the VPN tunner first as I expect it to. I figured, **incorrectly**
that at this point it would be just a matter of some _pf_ magic to get a host
on the remote
side NATted to tunnel address such that it's packets would traverse the tunnel
and then
shuffle off to their designed destination. I've tried this:
```
## pf.conf
ext_if=em0
vpn_if=enc0
match out on $ext_if from !($ext_if) to any tag "USE-PLAIN-NAT"
match out on $vpn_if from <full-vpn> to any tag "USE-FULL-VPN"
match out on $ext_if tagged "USE-PLAIN-NAT" nat-to ($ext_if)
...
match out on $vpn_if tagged "USE-FULL-VPN" nat-to ($vpn_if)
```
But I get no joy. At best, the packets which should be tagged "USE-FULL-VPN"
get natted and
emitted out of my "$ext_if". I'm clearly missing something.
I'm referencing these links in the web:
* https://www.openbsd.org/faq/faq17.html
* https://man.openbsd.org/iked.conf
As my gotos but I'm clearly missing some which may be really obvious. As an
aside, In a VPN
situation like this, how does the kernel make decisions about where the packets
pass
through?
Thanks!
