Fast and Secure VPN setup with OpenBSD 4.5

Posted on 2009/06/30 by Balazs

Premise

Setting up VPN with IPsec using public / private key authentication between two networks using OpenBSD firewalls.

Concept

Each VPN concentrator will have the public key fo the other machine, and one of the VPN concentrators will be designated as the active requester. The other will be set up in a passive role, to accept the connection initiation, like a central VPN gateway at a datacenter would.

Practical steps

  1. Set up proper rules so that the firewalls pass proper traffic. That is done by adding the line in pf.conf to allow for the gateways to communicate:
    pass quick on $ext_if from $remote_vpn_gw_ip
  2. Set up the public key for each firewall on it’s counterpart:
    mkdir -p /etc/isakmpd/pubkeys/ipv4
cp remote_gateway_local.pub /etc/isakmpd/pubkeys/ipv4/xxx.xxx.xxx.xxx

    where xxx.xxx.xxx.xxx is the IP address of the remote gateway. (See below how to generate the public / private keys.)

  3. Create the ipsec.conf configuration file on the active VPN gateway:
    GW_LOCAL=ip_of_local_vpn_gateway
GW_REMOTE=ip_of_remote_vpn_gateway
LOCAL_NETWORKS="{ local_net1/mask1, local_net2/mask2, ... }"
REMOTE _NETWORKS="{ remote_net1/mask1, local_net2/mask2, ... }"

ike esp from $LOCAL_NETWORKS to $REMOTE_NETWORKS peer $GW_REMOTE
ike esp from $GW_LOCAL to $REMOTE_NETWORKS peer $GW_REMOTE
ike esp from $GW_LOCAL to $GW_REMOTE
  4. Create the ipsec.conf configuration file on the passive VPN gateway:
    GW_LOCAL=ip_of_local_vpn_gateway
GW_REMOTE=ip_of_remote_vpn_gateway
LOCAL_NETWORKS="{ local_net1/mask1, local_net2/mask2, ... }"
REMOTE _NETWORKS="{ remote_net1/mask1, local_net2/mask2, ... }"

ike passive esp from $LOCAL_NETWORKS to $REMOTE_NETWORKS peer $GW_REMOTE
ike passive esp from $GW_LOCAL to $REMOTE_NETWORKS peer $GW_REMOTE
ike passive esp from $GW_LOCAL to $GW_REMOTE
  5. Start the VPN on each VPN gateway:
    isakmpd -K
ipsecctl -f /etc/ipsec.conf
  6. Test the connections:
    ipsecctl -sa

    it may take a few minutes for the VPN channels to get established.

Public / Private Keys

Generating Public / Private keys with OpenSSL (on full OpenBSD install, this is already done automatically):

openssl genrsa -out /etc/isakmpd/private/local.key
chmod 600 /etc/isakmpd/private/local.key
openssl rsa -out /etc/isakmpd/private/local.pub -in /etc/isakmpd/private/local.key -pubout

If you are running a lightweight distro like flashdist, then you might need to generate these keys on a different machine.

References

This entry was posted in OpenBSD and tagged , . Bookmark the permalink.

NewPush has solutions to fit your business needs.  For more than a decade, our focus has been to take on the technical challenges that are the hardest and most time-consumming.  Our goal is to free up your resources to focus on the core activities of your business and to drive your business performance.  Please visit our main site at newpush.com for more information or call us at +1-303-423-4500.