Configure

IKED

OpenIKED is a free implementation of IKEv2 protocol which enable us to create VPNs in openBSD. OpenIKED is developed as part of the OpenBSD Project in that way comes with the OS, there is no need to install it.

OpenIKED focuses mainly:

  • Lean
  • Clean
  • Secure
  • Interoperable
  • Configurable

Now, we'll set up the VPN, both on the server-side and on the client-side

SETTING UP IKED - (SERVER-SIDE)

First we need to add some rules to our pf filters in order to allow IKED, isakmp, ipsec packages pass. Add this to /etc/pf.conf and make sure that $ext_if match your output interface. If you dont know what is your $ext_if, just issue the following command in your terminal $coconut ifconfig and you'll see the interfaces, your $ext_if is the one who has an public IP address, for example it could be vio0.

add the following lines to the file /etc/pf.conf

pass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED
pass in inet proto esp tag IKED
pass on enc0 inet tagged ROADW
match out on $ext_if inet tagged ROADW nat-to $ext_if
match in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53

Then in order to update the ruleset or apply the changes, we need to reload pf, we could do that with the following line:

$ doas pfctl -f /etc/pf.conf

At this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. In the part <server1.domain>, replace it with your own domain. From the command line just run:

$doas ikectl ca vpn create
$doas ikectl ca vpn install
certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt
CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl
$doas ikectl ca vpn certificate server1.domain create
$doas ikectl ca vpn certificate server1.domain install
writing RSA key

the file we need to export to the clients will be /etc/iked/ca/ca.crt we can do that, using scp to copy the file from our server to our local computer or some other application in your phone, there is no need to install scp,scp use the same credentials that ssh use, you can run the following command

$scp <user>@<user>.coconut.ircnow.org:/etc/iked/ca/ca.crt .

Make sure to enable IP forwarding. you must be asking Why?, let me explain it, if you dont enable this kernel feature, your server will not act as a router,in other words, it cannot forward packages to their destination, your packages will be able to reach the server, but then they will be stuck there, without possibility to get out from there

$echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf
$echo 'net.inet6.ip6.forwarding=1' >> /etc/sysctl.conf
$echo 'net.inet.ipcomp.enable=1' >> /etc/sysctl.conf
$echo 'net.inet.esp.enable=1' >> /etc/sysctl.conf
$echo 'net.inet.ah.enable=1' >> /etc/sysctl.conf
$sysctl net.inet.ip.forwarding=1
$sysctl net.inet6.ip6.forwarding=1


We will use unbound as the caching DNS resolver. Our servers have static IP addresses so we do not use DHCP (if DHCP is used, you must ignore the provided name servers):
/etc/resolv.conf:

nameserver 127.0.0.1 lookup file bind /etc/resolv.conf.tail:

lookup file bind /var/unbound/etc/unbound.conf:

outgoing-interface: 203.0.113.5
access-control: 10.0.0.0/8 allow
...

local-zone: "www.domain.com" static

...

forward-zone:
forward-addr: 185.121.177.177
forward-addr: 169.239.202.202

...

The local-zone lines are only needed if you want to filter/censor domains. You can obtain a list of domains to block using StevenBlack's hosts files. I used the unified hosts + porn + gambling filter to block unwanted content.>>?

$ curl -L -O https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn/hosts

We need to reformat this hosts file:

$ awk '!/^ *#/ && NF' hosts > newhosts # taken from stevenblack's list
$ sed 's/0\.0\.0\.0 \([^#]*\).*$/local-zone: "\1" static/' newhosts > newhosts2
$ sed 's/  "/"/' newhosts2 > newhosts3

Manually check for malformed entries, then put this into /var/unbound/etc/unbound.conf.

Till now we have configured the pf ruleset, the forwarding features, the DNS resolver and we have the certificates, now we need to configure the IKED itself. Add this to /etc/iked.conf (replace 203.0.113.5 with your server's public IP address and vpn.ircnow.org, with your domain):

user 'username' 'password'
ikev2 'vpn.ircnow.org' passive esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
local 203.0.113.5 peer any \
srcid vpn.ircnow.org \
eap "mschap-v2" \
config address 10.0.5.0/24 \
config name-server 203.0.113.5 \
tag "ROADW"

Now, all is ready to start our VPN iked,just run the following commands
$ doas chmod 0600 /etc/iked.conf
$ doas rcctl enable iked
$ doas rcctl start iked

TROUBLESHOOTING
Maybe we couldnt get it running, so we need to start the service in debug mode, just ignore the prior commands and run the following line
$doas iked -dvvv
this will show all the info you need in order the fix the issue