openbsd

OpenBSD VPN Road Warrior Setup with IKEv2

Patrick de Ruiter

Patrick de Ruiter

3 min read
OpenBSD VPN Road Warrior Setup with IKEv2

Introduction

OpenBSD is known for its security and clean design, making it an ideal choice for a VPN server. In this guide, we will set up a VPN server on OpenBSD 7.3 using iked, the native IKEv2 daemon, which is perfect for road warrior (mobile clients) access. By the end of this guide, you'll have a secure, functional VPN for your clients to connect to from anywhere.

Prerequisites

Before we dive into the setup, ensure you have the following:

  • A VPS or dedicated server running OpenBSD 7.3
  • A domain name or static public IP address for the VPN server
  • Root access to your server

With these in hand, we can begin configuring our VPN server.

Step 1: Configure iked - Generate Certificates and Keys

We will use OpenSSL to generate the CA (Certificate Authority) and the server certificates required by iked. These certificates authenticate the VPN server and encrypt the communication.

Create the Directory for Private Keys

First, create the necessary directories and set appropriate permissions:

cd /etc/ssl
mkdir private
chmod 700 private

Generate the CA Private Key

This key will be used to sign the server's certificate. It's highly sensitive, so ensure it remains protected:

openssl genrsa -out private/cakey.pem 4096

Create the CA Certificate

Now, generate a self-signed CA certificate that the VPN clients will trust:

openssl req -x509 -new -nodes \
            -key private/cakey.pem \
            -sha256 -days 3650 \
            -out cacert.pem \
            -subj "/C=NL/O=VPN/CN=VPN CA"

Generate the VPN Server Key

Next, generate the private key for the VPN server:

openssl genrsa -out private/vpn-server-key.pem 4096

Create the VPN Server Certificate Signing Request (CSR)

We need a CSR to sign our VPN server certificate:

openssl req -new -key private/vpn-server-key.pem \
            -out vpn-server-csr.pem \
            -subj "/C=NL/O=VPN/CN=vpn.example.com"

Sign the VPN Server Certificate

Sign the CSR with the CA we created earlier. The subjectAltName ensures the certificate works for the domain vpn.example.com:

openssl x509 -req -in vpn-server-csr.pem \
             -CA cacert.pem -CAkey private/cakey.pem \
             -CAcreateserial -out vpn-server-cert.pem \
             -days 1825 -sha256 \
             -extfile <(printf "subjectAltName=DNS:vpn.example.com")

With these steps, we have all the certificates needed to secure our VPN server.

Step 2: Edit iked Configuration

OpenBSD's IKE daemon (iked) is configured via /etc/iked.conf. We'll set it up to accept IKEv2 connections for our VPN clients.

Open /etc/iked.conf with your preferred editor:

vim /etc/iked.conf

And add the following configuration:

iked_flags="-6"

ikev2 "roadwarrior" passive esp \
    from 0.0.0.0/0 to 0.0.0.0/0 \
    local 82.197.198.151 peer any \
    srcid vpn.example.com \
    eap mschap-v2 "username" "password" \
    config address 10.10.10.0/24 \
    config name-server 192.168.2.166 \
    tag "$name"

Let's break this down:

  • local 82.197.198.151: Replace this with your VPN server's public IP.
  • srcid vpn.example.com: This should be the domain name of your server.
  • eap mschap-v2 "username" "password": Set the username and password for client authentication.
  • config address 10.10.10.0/24: The VPN clients will be assigned IP addresses from this subnet.
  • config name-server 192.168.2.166: Set this to your preferred DNS server.

Step 3: Configure PF Firewall Rules

The OpenBSD Packet Filter (PF) firewall needs to be configured to allow the necessary VPN traffic.

Open the PF configuration file:

vim /etc/pf.conf

Add the following rules to permit IKE and ESP traffic:

pass in quick on egress proto udp from any to any port { 500, 4500 }
pass out quick on egress proto udp from any to any port { 500, 4500 }
pass in quick on enc0 all
pass out quick on enc0 all

These rules:

  • Permit UDP traffic for IKE (port 500) and NAT traversal (port 4500).
  • Allow encrypted traffic (ESP) on the enc0 interface.

Reload the PF configuration:

pfctl -f /etc/pf.conf

Step 4: Enable and Start the iked Service

Finally, we need to enable and start the iked service so that it runs at boot.

Enable the service:

rcctl enable iked

Start the service:

rcctl start iked

Conclusion

Congratulations! You've successfully configured OpenBSD as a VPN server using iked. Your road warrior clients can now securely connect to your server from anywhere, and all traffic will be encrypted and secure. OpenBSD's minimalistic approach makes it a great choice for robust, secure VPN setups. Happy VPNing!

Read more

HAProxy Monitoring with Prometheus: Complete Observability Guide

HAProxy Monitoring with Prometheus: Complete Observability Guide

Monitoring HAProxy is essential for maintaining reliable load balancing infrastructure. Prometheus provides powerful metrics collection, alerting capabilities, and seamless Grafana integration for visualizing HAProxy performance and health. Why Prometheus for HAProxy? Prometheus offers: * Pull-based metrics - Prometheus scrapes HAProxy metrics endpoints * Time-series database - Store historical data for trend analysis

By Patrick de Ruiter