The example given is overly complicated and would end up being at least as verbose with other frameworks, even when using something like ufw. You can create a safe and secure IKEv1 IPSec VPN host by adding a single line to the default /etc/pf.conf file,
pass out on egress from 192.168.1.0/24 to any nat-to egress
a few lines in /etc/ipsec.conf,
#
# OS X 10.10 only supports SHA1 and group modp1024 :(
#
ike passive esp tunnel proto udp \
from $ext_ip to any \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes group modp1024 \
psk $ext_psk
and edit or modify /etc/sysctl.conf to enable the relevant kernel features,
You'll need to edit 1 or 2 lines in /etc/npppd/npppd.conf if you want to change the DHCP subnet pool or DNS server (OpenBSD's default unbound is perfectly acceptable), and add or edit a couple of lines in /etc/npppd/npppd-users to set a VPN user name and password. Of course you'll need to enable the relevant services. /etc/rc.conf.local on one of my boxes looks like:
Using certificate authentication for IKE auth is just as simple, although as always X.509 certificate creation can be confusing for the uninitiated.
Setting up IKEv2 + IPSec on OpenBSD (iked instead of isakmpd) is even easier because it takes npppd out of the equation entirely. Instead of editing ipsec.conf, npppd.conf, or npppd-users, just put something like this into /etc/iked.conf
user "foo" "my secret"
ikev2 "roaming" passive esp \
from 0.0.0.0/0 to 192.168.1.128/25 local egress peer any \
ikesa auth hmac-sha2-512 enc aes-128 prf hmac-sha2-512 group modp2048 \
childsa enc aes-128-gcm group modp2048 \
srcid my.host.name \
eap "mschap-v2" \
config address 192.168.1.128/25 \
config name-server 192.168.1.1
In the above I would just create a loopback device (/etc/hostname.lo1) with the address 192.168.1.1 and add "interface: 192.168.1.1" to /var/unbound/etc/unbound.conf.
