
Be your own VPN provider with OpenBSD (v2) - tgragnato
https://networkfilter.blogspot.com/2017/04/be-your-own-vpn-provider-with-openbsd-v2.html
======
aphextron
Does anyone know if there is a UFW equivalent for BSD? Dealing with PF
configuration is a nightmare.

~~~
wahern
The example given is overly complicated and would end up being at least as
verbose with other frameworks, even when using something like ufw. You can
create a safe and secure IKEv1 IPSec VPN host by adding a single line to the
default /etc/pf.conf file,

    
    
      pass out on egress from 192.168.1.0/24 to any nat-to egress
    

a few lines in /etc/ipsec.conf,

    
    
      #
      # OS X 10.10 only supports SHA1 and group modp1024 :(
      #
      ike passive esp tunnel proto udp \
        from $ext_ip to any \
        main auth hmac-sha1 enc aes group modp1024 \
        quick auth hmac-sha1 enc aes group modp1024 \
        psk $ext_psk
    

and edit or modify /etc/sysctl.conf to enable the relevant kernel features,

    
    
      net.inet.ip.forwarding=1
      net.inet.gre.allow=1
      net.pipex.enable=1
    

You'll need to edit 1 or 2 lines in /etc/npppd/npppd.conf if you want to
change the DHCP subnet pool or DNS server (OpenBSD's default unbound is
perfectly acceptable), and add or edit a couple of lines in /etc/npppd/npppd-
users to set a VPN user name and password. Of course you'll need to enable the
relevant services. /etc/rc.conf.local on one of my boxes looks like:

    
    
      ipsec=YES
      isakmpd_flags=-K
      npppd_flags=
      ntpd_flags=-s
      unbound_flags=
    

Using certificate authentication for IKE auth is just as simple, although as
always X.509 certificate creation can be confusing for the uninitiated.

Setting up IKEv2 + IPSec on OpenBSD (iked instead of isakmpd) is even easier
because it takes npppd out of the equation entirely. Instead of editing
ipsec.conf, npppd.conf, or npppd-users, just put something like this into
/etc/iked.conf

    
    
      user "foo" "my secret"
      ikev2 "roaming" passive esp \
        from 0.0.0.0/0 to 192.168.1.128/25 local egress peer any \
        ikesa auth hmac-sha2-512 enc aes-128 prf hmac-sha2-512 group modp2048 \
        childsa enc aes-128-gcm group modp2048 \
        srcid my.host.name \
        eap "mschap-v2" \
        config address 192.168.1.128/25 \
        config name-server 192.168.1.1
    

In the above I would just create a loopback device (/etc/hostname.lo1) with
the address 192.168.1.1 and add "interface: 192.168.1.1" to
/var/unbound/etc/unbound.conf.

