As previously promised, I’ll now cover the basic setup of
VPN tunnels between two OpenBSD gateways. So as to save wasting time on
unnecessary repetition, the basic installation of OpenBSD can be revisited both
in my previous blog and the OpenBSD FAQ pages.
I taught myself how to configure this system by reading the
vpn man page, plus some trial and error. I hope to simplify this process for
readers, giving clear examples through every step. Another very useful VPN
implementation is PPTP (VPN dial-in). I’ll cover the installation and
configuration of PPTP later, which proves more troublesome than a basic IPSEC
tunnel. I’m starting with two clean OpenBSD installations; each has two network
interfaces installed and the following configuration:
Hostname – vpnA
Domain – test.com
Interface1 – 10.1.1.1/255.255.255.0
Interface2 – 188.8.131.52/255.255.255.0
Hostname – vpnB
Domain – test.com
Interface1 – 10.2.1.1/255.255.255.0
Interface2 – 184.108.40.206/255.255.255.0
As you can guess, Interface1 is to be connected to the
internal network, Interface2 is simulating out our(?) Internet connection.
Once the basic setup of the gateway machines is done
(referring to the install guides and above guidelines)there is surprisingly
little which needs to be done to get a VPN tunnel up and running. The following
files will need to be edited. I’ll explain how and why as we go along:
There are two methods of authenticating the two gateways in
order to setup the VPN tunnel: manual or automatic. Manual keying requires that
you manually generate keys, security associations and then configure the IPSec
flows. Automatic keying does all of this for you (you never would have guess
that!). I have only used automatic keyingit’s easier to configure than manual
keying and has worked flawlessly, so I see no reason to switch to manual
keying. I guess it comes down to a matter of preference. Instructions and
explanations of manual keying can be found on the vpn man page.
So, to get started, we must first make sure that IP
forwarding is allowed (any gateway machine will require this, whether it runs
VPN tunnels or not). This option is found inside the file /etc/sysctl.conf
along with activation of Authentication Header (AH), and Encapsulating Security
Payload (ESP) protocols. AH protocol provides replay protection, integrity, and
authentication. ESP provides the same functions, with the addition of confidentiality;
securing everything in the packet which follows the IP header. For a more
detailed explanation take a look at the ipsec man page.
Next, edit /etc/sysctl.conf. The following lines need to be
> vi /etc/sysctl.conf
As discussed in my previous blog, packet filter is the
built-in firewall of OpenBSD. We need to make sure this is enabled at boot. In
the same configuration file, we will need to enable a daemon called ISAKMPD.
ISAKMPD is the automatic keying daemon which handles the creation of our IPSec
tunnels, authentication between the hosts, and so on. Full details can
surprisingly be found on the isakmpd man page.
The file is /etc/rc.conf.local, which may not exist; if not,
then create it. The following content needs to be entered:
> vi /etc/rc.conf.local
We also need to edit /etc/rc.conf to allow ISAKMPD to start
That was pretty easy! Next time, we’ll configure ISAKMPD to
set up our VPN tunnels.