Tag Archives: vpn

Site-to-site IPSec VPN using OpenBSD

Another howto for the sake of posterity :)

Create /etc/ipsec.conf on Machine A


## machine A
# external IP: 111.111.111.111
# internal network: 192.168.1.0/24
## machine B
# eternal IP: 222.222.222.222
# internal network: 192.168.2.0/24

ike esp from 192.168.1.0/24 to 192.168.2.0/24 peer 222.222.222.222 psk supersecretpassphrase
ike esp from 111.111.111.111 to 192.168.2.0/24 peer 222.222.222.222 psk supersecretpassphrase
ike esp from 111.111.111.111 to 222.222.222.222 psk supersecretpassphrase

Create /etc/ipsec.conf on Machine B


ike esp from 192.168.2.0/24 to 192.168.1.0/24 peer 111.111.111.111 psk supersecretpassphrase
ike esp from 222.222.222.222 to 192.168.1.0/24 peer 111.111.111.111 psk supersecretpassphrase
ike esp from 222.222.222.222 to 111.111.111.111 psk supersecretpassphrase

Edit /etc/rc.conf.local on both machines


## start the isakmpd
isakmpd_flags="-K"
ipsec=YES

Allow VPN traffic on Machine A


vpn_net = "192.168.2.0/24"

pass in quick on tun0
pass out quick on tun0
pass in quick on $int_if from $lan_net to $vpn_net
pass out quick on $int_if from $vpn_net to any


Allow VPN traffic on Machine B


vpn_net = "192.168.1.0/24"

pass in quick on tun0
pass out quick on tun0
pass in quick on $int_if from $lan_net to $vpn_net
pass out quick on $int_if from $vpn_net to any



Reboot the machine to check if everything starts at boot

Runningi netstat -rn on Machine A should give something like:


Encap:
Source             Port  Destination        Port  Proto SA(Address/Proto/Type/Direction)
192.168.2/24     0     111.111.111.111/32   0     0     222.222.222.222/esp/use/in
111.111.111.111/32   0     192.168.2/24     0     0     222.222.222.222/esp/require/out
222.222.222.222/32    0     111.111.111.111/32   0     0     222.222.222.222/esp/use/in
111.111.111.111/32   0     222.222.222.222/32    0     0     222.222.222.222/esp/require/out
192.168.2/24     0     192.168.1/24     0     0     222.222.222.222/esp/use/in
192.168.2/24     0     192.168.2/24     0     0     222.222.222.222/esp/require/out

PPTP on OpenBSD

I’m posting this for posterity’s sake. Tested on OpenBSD 4.2 and 4.3 servers and Win XP SP2, Mac OS X 10.5.2 and iPhone 2.0.1 clients

Download and install the Poptop package found here.

Create additional tunnel devices:

# cd /dev
# ./MAKEDEV tun? (where ? is the device number)

/dev/tun0 to /dev/tun3 exists by default. The number of devices here determines the number of concurrent users allowed

By default, Poptop looks for its configuration file in /etc/pptpd.conf. So let’s create that file now:

# pppd configuration file
option /etc/ppp/ppp.conf
# IP address of your server-side PPTP connection
# Should be from an unused subnet
localip 10.10.10.1
# IP address range of your PPTP clients
remoteip 10.10.10.100-200
# IP address where Poptop will bind to
listen 123.123.123.123
# PID file (can be used for monitoring)
pidfile /var/run/pptpd.pid
noipparam

Now, let’s create the pppd config file. It doesn’t have to be named like this. It can be /etc/ppp/shitballs.conf as long as you call it right in pptpd.conf

loop:
set timeout 0
set log phase chat connect lcp ipcp command
set device localhost:pptp
set dial
set login
set mppe * stateless
set ifaddr 10.10.10.1 10.10.10.100-10.10.10.200 255.255.255.255
set server /tmp/loop “” 0177

loop-in:
set timeout 0
set log phase lcp ipcp command
allow mode direct

pptp:
load loop
disable pap
disable chap
enable mschapv2
disable deflate pred1
deny deflate pred1
disable ipv6
accept mppe
enable proxy
accept dns
set dns 192.168.1.1
set nbns 192.168.1.1
set filter in 0 deny 192.168.1.0/24 0
set filter in 4 permit udp src eq 53
set filter out 4 permit udp dst eq 53
set filter in 6 permit 0/0 192.168.1.0/24
set filter out 6 permit 192.168.1.0/24 0/0
set filter in 7 permit icmp
set filter out 7 permit icmp
set filter in 8 permit udp dst gt 33433
set filter out 9 permit udp dst gt 33433
set device !/etc/ppp/secure

We also need to create the /etc/ppp/secure file and make sure it has the execute bit

#!/bin/sh
exec /usr/sbin/ppp -direct loop-in

The next file to create is /etc/ppp/ppp.secret. This contains the usernames, passwords and optionally, static IP of dial-in users

# username          password                           static IP
johndoe               mysupersecretpassword          *
janedoe               johnisgay                           10.10.10.150
admin                 secret                                        *

Secure the file. It should be mode 0400.
Remember to create ppp.log and reload syslogd:

# touch /var/log/ppp.log
# kill -HUP <syslogd PID>

There will be two syslogd processes running, so you need to kill the one running as root.

Add the following lines to /etc/rc.local to make Poptop run to start automatically after reboot.

if [ -x /usr/local/sbin/pptpd ]; then
echo -n ” pptpd”; /usr/local/sbin/pptpd -d
fi

Last but not the least, we need to allow traffic from pptp clients. Add these to your pf.conf and reload pf.

pass in quick on $ext_if proto tcp from any to $ext_if port = 1723 modulate state
pass in quick on $ext_if proto gre from any to $ext_if keep state
pass out quick on $ext_if proto gre from $ext_if to any keep state

pass in quick log on tun0 all
pass out quick log on tun0 all
pass in quick log on tun1 all
pass out quick log on tun1 all

It is a good practice to give the machine a reboot to see if everything went well.

NOTE: For Mac OS X clients (including the iPhone), edit your  /Library/Preferences/SystemConfiguration/preferences.plist file and change the value of CCPEnabled to 0