In this tutorial, I’ll show how to create a VPN using OpenBSD

Making a VPN on OpenBSD is very easy.

Within minutes

Follow the scenario:



Consider A and B OpenBSD’s respectively .

Adjust /etc/sysctl.conf on both sides.



net.inet.ip.forwarding=1

net.inet.ah.enable=1

net.inet.esp.enable=1

net.inet.ipcomp.enable=1



Adjust /etc/ipsec.conf of side OpenBSD A

# cat /etc/ipsec.conf



local_ip="172.16.123.1"

local_network="192.168.20.0/24"

remote_ip="172.16.123.2"

remote_network="192.168.40.0/24"

ike esp from $local_network to $remote_network peer $remote_ip

ike esp from $local_ip to $remote_network peer $remote_ip

ike esp from $local_ip to $remote_ip



Adjust /etc/ipsec.conf of side OpenBSD B

# cat /etc/ipsec.conf



local_ip="172.16.123.2"

local_network="192.168.40.0/24"

remote_ip="172.16.123.1"

remote_network="192.168.20.0/24"

ike passive esp from $local_network to $remote_network peer $remote_ip

ike passive esp from $local_ip to $remote_network peer $remote_ip

ike passive esp from $local_ip to $remote_ip



Adjust /etc/pf.conf of both OpenBSD’s ( I will assume that you have a PF with POLICY block all )



set skip on { lo enc0 }

# VPN

pass in log on $ext_if proto esp from $remote_gw to $ext_if

pass out log on $ext_if proto esp from $ext_if to $remote_gw

pass in log on $ext_if proto udp from $remote_gw to $ext_if port {isakmp, ipsec-nat-t}

pass out log on $ext_if proto udp from $ext_if to $remote_gw port {isakmp, ipsec-nat-t}

pass in log on enc0 from $remote_nets to $int_if:network keep state (if-bound)

pass out log on enc0 from $int_if:network to $remote_nets keep state (if-bound)



Copy isakmpd keys of both OpenBSD’s

On OpenBSD A, copy /etc/isakmpd/local.pub from OpenBSD B into /etc/isakmpd/pubkeys/ipv4/172.16.123.2

# scp 172.16.123.2:/etc/isakmpd/local.pub /etc/isakmpd/pubkeys/ipv4/172.16.123.2

On OpenBSD B, copy /etc/isakmpd/local.pub from OpenBSD A into /etc/isakmpd/pubkeys/ipv4/172.16.123.1

# scp 172.16.123.1:/etc/isakmpd/local.pub /etc/isakmpd/pubkeys/ipv4/172.16.123.1

Test your ipsec.conf

# ipsecctl -n -f /etc/ipsec.conf

Do this on both sides

Now its time to run VPN

In both sides execute

# isakmpd -K ; ipsecctl -f /etc/ipsec.conf

Test it:

On one of sides do:

# tcpdump -ni enc0

On another side do:

# ping 172.16.123.2

Assume that tcpdump are running on side B and ping was executed on side A

Start Automaticaly after reboot

On side A,

do

# echo ‘!route add -net 192.168.40.0/24 172.16.123.2’ >> /etc/hostname.yourEXT_IF

On side B,

do

# echo ‘!route add -net 192.168.20.0/24 172.16.123.1’ >> /etc/hostname.yourEXT_IF

put this on both sides

echo ‘isakmpd=”-K” >> /etc/rc.conf.local

echo ‘ipsec=”YES” >> /etc/rc.conf.local

Reboot and Have Fun with your IPSEC VPN RUNNING UNDER OpenBSD