As previously promised, I’ll now cover the basic setup of

VPN tunnels between two OpenBSD gateways. So as to save wasting time on

unnecessary repetition, the basic installation of OpenBSD can be revisited both

in my previous blog and the OpenBSD FAQ pages.

I taught myself how to configure this system by reading the

vpn man page, plus some trial and error. I hope to simplify this process for

readers, giving clear examples through every step. Another very useful VPN

implementation is PPTP (VPN dial-in). I’ll cover the installation and

configuration of PPTP later, which proves more troublesome than a basic IPSEC

tunnel. I’m starting with two clean OpenBSD installations; each has two network

interfaces installed and the following configuration:

Gateway A:

Hostname – vpnA
Domain –
Interface1 –
Interface2 –

Gateway B:

Hostname – vpnB
Domain –
Interface1 –
Interface2 –

As you can guess, Interface1 is to be connected to the

internal network, Interface2 is simulating out our(?) Internet connection.

Once the basic setup of the gateway machines is done

(referring to the install guides and above guidelines)—there is surprisingly

little which needs to be done to get a VPN tunnel up and running. The following

files will need to be edited. I’ll explain how and why as we go along:


There are two methods of authenticating the two gateways in

order to setup the VPN tunnel: manual or automatic. Manual keying requires that

you manually generate keys, security associations and then configure the IPSec

flows. Automatic keying does all of this for you (you never would have guess

that!). I have only used automatic keying—it’s easier to configure than manual

keying and has worked flawlessly, so I see no reason to switch to manual

keying. I guess it comes down to a matter of preference. Instructions and

explanations of manual keying can be found on the vpn man page.

So, to get started, we must first make sure that IP

forwarding is allowed (any gateway machine will require this, whether it runs

VPN tunnels or not). This option is found inside the file /etc/sysctl.conf

along with activation of Authentication Header (AH), and Encapsulating Security

Payload (ESP) protocols. AH protocol provides replay protection, integrity, and

authentication. ESP provides the same functions, with the addition of confidentiality;

securing everything in the packet which follows the IP header. For a more

detailed explanation take a look at the ipsec man page.

Next, edit /etc/sysctl.conf. The following lines need to be


> vi /etc/sysctl.conf

As discussed in my previous blog, packet filter is the

built-in firewall of OpenBSD. We need to make sure this is enabled at boot. In

the same configuration file, we will need to enable a daemon called ISAKMPD.

ISAKMPD is the automatic keying daemon which handles the creation of our IPSec

tunnels, authentication between the hosts, and so on. Full details can

surprisingly be found on the isakmpd man page.

The file is /etc/rc.conf.local, which may not exist; if not,

then create it. The following content needs to be entered:


> vi /etc/rc.conf.local

We also need to edit /etc/rc.conf to allow ISAKMPD to start
on bootup:


That was pretty easy! Next time, we’ll configure ISAKMPD to
set up our VPN tunnels.