OpenBSD Vpn Road Warrior Howto

Published by Patrick

OpenBSD Vpn Road Warrior Howto

Introduction

OpenBSD is known for its security and clean design, making it an ideal choice for a VPN server. In this guide, we will set up a VPN server on OpenBSD 7.3 using iked, the native IKEv2 daemon, which is perfect for road warrior (mobile clients) access. By the end of this guide, you'll have a secure, functional VPN for your clients to connect to from anywhere.

Prerequisites

Before we dive into the setup, ensure you have the following:

  • A VPS or dedicated server running OpenBSD 7.3
  • A domain name or static public IP address for the VPN server
  • Root access to your server

With these in hand, we can begin configuring our VPN server.

Step 1: Configure iked

Generate Necessary Certificates and Keys

We will use OpenSSL to generate the CA (Certificate Authority) and the server certificates required by iked. These certificates authenticate the VPN server and encrypt the communication. Create the Directory for Private Keys

First, create the necessary directories and set appropriate permissions:

cd /etc/ssl
mkdir private
chmod 700 private

Generate the CA Private Key

This key will be used to sign the server's certificate. It’s highly sensitive, so ensure it remains protected:

openssl genrsa -out private/cakey.pem 4096

Create the CA Certificate

Now, generate a self-signed CA certificate that the VPN clients will trust:

openssl req -x509 -new -nodes \
            -key private/cakey.pem \
            -sha256 -days 3650 \
            -out cacert.pem \
            -subj "/C=NL/O=VPN/CN=VPN CA"

Generate the VPN Server Key

Next, generate the private key for the VPN server:

openssl genrsa -out private/vpn-server-key.pem 4096

Create the VPN Server Certificate Signing Request (CSR)

We need a CSR to sign our VPN server certificate:

openssl req -new -key private/vpn-server-key.pem \
            -out vpn-server-csr.pem \
            -subj "/C=NL/O=VPN/CN=vpn.example.com"

Sign the VPN Server Certificate

Sign the CSR with the CA we created earlier. The subjectAltName ensures the certificate works for the domain vpn.example.com

openssl x509 -req -in vpn-server-csr.pem \
             -CA cacert.pem -CAkey private/cakey.pem \
             -CAcreateserial -out vpn-server-cert.pem \
             -days 1825 -sha256 \
             -extfile <(printf "subjectAltName=DNS:vpn.example.com")

With these steps, we have all the certificates needed to secure our VPN server.

Step 2: Edit iked Configuration

OpenBSD’s IKE daemon (iked) is configured via /etc/iked.conf. We’ll set it up to accept IKEv2 connections for our VPN clients. Edit the Configuration File

Open /etc/iked.conf with your preferred editor:

vim /etc/iked.conf

And add the following configuration:

iked_flags="-6"

ikev2 "roadwarrior" passive esp \
    from 0.0.0.0/0 to 0.0.0.0/0 \
    local 82.197.198.151 peer any \
    srcid vpn.example.com \
    eap mschap-v2 "username" "password" \
    config address 10.10.10.0/24 \
    config name-server 192.168.2.166 \
    tag "$name"

Let’s break this down:

  • local 82.197.198.151: Replace this with your VPN server’s public IP.
  • srcid vpn.example.com: This should be the domain name of your server.
  • eap mschap-v2 "username" "password": Set the username and password for client authentication.
  • config address 10.10.10.0/24: The VPN clients will be assigned IP addresses from this subnet.
  • config name-server 192.168.2.166: Set this to your preferred DNS server.

This configuration allows IKEv2 clients to connect using MSCHAPv2 authentication and get assigned IPs and DNS details.

Step 3: Configure PF Firewall Rules

The OpenBSD Packet Filter (PF) firewall needs to be configured to allow the necessary VPN traffic.

Edit the PF Configuration

Open the PF configuration file:

vim /etc/pf.conf

Add the following rules to permit IKE and ESP traffic:

pass in quick on egress proto udp from any to any port { 500, 4500 }
pass out quick on egress proto udp from any to any port { 500, 4500 }
pass in quick on enc0 all
pass out quick on enc0 all

These rules:

  • Permit UDP traffic for IKE (port 500) and NAT traversal (port 4500).
  • Allow encrypted traffic (ESP) on the enc0 interface.

Reload the PF Configuration

Once the changes are made, reload PF to apply the new rules:


pfctl -f /etc/pf.conf

Step 4: Enable and Start the iked Service

Finally, we need to enable and start the iked service so that it runs at boot.

Enable the Service

To ensure iked starts on boot, run:

rcctl enable iked

Start the Service

Start the iked service immediately:

rcctl start iked

Conclusion

Congratulations! You’ve successfully configured OpenBSD as a VPN server using iked. Your road warrior clients can now securely connect to your server from anywhere, and all traffic will be encrypted and secure. OpenBSD’s minimalistic approach makes it a great choice for robust, secure VPN setups. Happy VPNing!