Fast and Secure VPN setup with OpenBSD 4.5

Premise

Setting up VPN with IPsec using public / private key authentication between two networks using OpenBSD firewalls.

Concept

Each VPN concentrator will have the public key fo the other machine, and one of the VPN concentrators will be designated as the active requester. The other will be set up in a passive role, to accept the connection initiation, like a central VPN gateway at a datacenter would.

Practical steps

  1. Set up proper rules so that the firewalls pass proper traffic. That is done by adding the line in pf.conf to allow for the gateways to communicate: 
    pass quick on $ext_if from $remote_vpn_gw_ip
  2. Set up the public key for each firewall on it’s counterpart: 
    mkdir -p /etc/isakmpd/pubkeys/ipv4
cp remote_gateway_local.pub /etc/isakmpd/pubkeys/ipv4/xxx.xxx.xxx.xxx

    where xxx.xxx.xxx.xxx is the IP address of the remote gateway. (See below how to generate the public / private keys.)

  3. Create the ipsec.confconfiguration file on the active VPN gateway: 
    GW_LOCAL=ip_of_local_vpn_gateway
GW_REMOTE=ip_of_remote_vpn_gateway
LOCAL_NETWORKS="{ local_net1/mask1, local_net2/mask2, ... }"
REMOTE _NETWORKS="{ remote_net1/mask1, local_net2/mask2, ... }"

ike esp from $LOCAL_NETWORKS to $REMOTE_NETWORKS peer $GW_REMOTE
ike esp from $GW_LOCAL to $REMOTE_NETWORKS peer $GW_REMOTE
ike esp from $GW_LOCAL to $GW_REMOTE
  4. Create the ipsec.confconfiguration file on the passive VPN gateway: 
    GW_LOCAL=ip_of_local_vpn_gateway
GW_REMOTE=ip_of_remote_vpn_gateway
LOCAL_NETWORKS="{ local_net1/mask1, local_net2/mask2, ... }"
REMOTE _NETWORKS="{ remote_net1/mask1, local_net2/mask2, ... }"

ike passive esp from $LOCAL_NETWORKS to $REMOTE_NETWORKS peer $GW_REMOTE
ike passive esp from $GW_LOCAL to $REMOTE_NETWORKS peer $GW_REMOTE
ike passive esp from $GW_LOCAL to $GW_REMOTE
  5. Start the VPN on each VPN gateway: 
    isakmpd -K
ipsecctl -f /etc/ipsec.conf
  6. Test the connections: 
    ipsecctl -sa

    it may take a few minutes for the VPN channels to get established.

Public / Private Keys

Generating Public / Private keys with OpenSSL (on full OpenBSD install, this is already done automatically):

openssl genrsa -out /etc/isakmpd/private/local.key
chmod 600 /etc/isakmpd/private/local.key
openssl rsa -out /etc/isakmpd/private/local.pub -in /etc/isakmpd/private/local.key -pubout

If you are running a lightweight distro like flashdist, then you might need to generate these keys on a different machine.

References


Posted on 2009/06/30 by in OpenBSD

Tags:

About Balazs

View all posts by Balazs