A Simple OpenIKEd mac-to-site VPN

How to setup a simple mac-to-site OpenIKEd based VPN on OpenBSD


I have a mac laptop that, on occasion, I like to be able to connect to my home network while I am away. On my router I use OpenIKEd running on OpenBSD if it wasn’t obvious from my previous post. This post is an outline of what you need to do to get them to work together. It is not intended to be exhaustive. The goal is to produce a good base configuration which you can tune to your own liking.


  • Public facing router running OpenBSD 6.2 or later
  • A remote mac running MacOS 10.12.0 or later
  • Apple Configurator 2

Note: Other versions will likely work as well, though they may require minor changes.

Sample Data

In this example we will be connecting the laptop to the router via a VPN while configuring it to appear as though it is on the local network. Minimal restrictions will be applied to the laptops access. I recommend you apply sensible restrictions in your implementation.


  • Identifier: mac.example.com
  • Public Address:
  • VPN Address:


  • Identifier: router.example.com
  • Public Address:
  • Local Subnet:
  • VPN Subnet:

using the pre-shared key:


This setup assumes openIKEd is already setup in a similar manner to my previous post.

Configuring the Router


Add the remote computer to you iked.conf.

in /etc/iked.conf on
local_id		= "router.example.com"
local_gw		= ""
local_net		= ""

remote_id		= "mac.example.com"
remote_gw		= ""
remote_addr		= ""
remote_state	= "passive"
remote_tap		= "enc0"
below macros in /etc/iked.conf on
ikev2 "mac-site" $remote_state esp \
	from $remote_addr ($remote_gw) to $local_gw \
	from $remote_addr ($remote_gw) to $local_net \
	from $local_gw to $remote_addr \
	from $local_net to $remote_addr \
	local $local_gw peer $remote_gw \
	ikesa enc aes-256 group modp4096 auth hmac-sha2-512 prf hmac-sha2-512 \
	childsa enc aes-256-gcm group modp4096 \
	srcid $local_id dstid $remote_id \
	psk "0jGsrzx1i*)J8]$0XQT~+*Y!{)mw@+uuF7Lim<[VGq?K&~i!=9!;@DT0h{QLuC}6" \
	config address $remote_addr \
	tag "$name-$id" tap $remote_tap


Add the remote address to your vpn_peers table.

in /etc/pf.conf on
table <vpn_peers> const { }

Configuring the Mac

Open Apple Configurator 2. Create a new profile. Setup the general section as you like. Go to VPN. Configure:

Connection Name:Whatever you want it to be labeled
Connection Type:IKEv2
Remote Identifier:router.example.com
Local Identifier:mac.example.com
Machine Authentication:Shared Secret
Shared Secret:0jGsrzx1i*)J8]$0XQT~+*Y!{)mw@+uuF7Lim<[VGq?K&~i!=9!;@DT0h{QLuC}6
Enable perfect forward secrecy:true

IKE SA Params

Encryption Algorithm:AES-256
Integrity Algorithm:SHA2-512
Diffie-Hellman Group:16

Child SA Params

Encryption Algorithm:AES-256-GCM
Integrity Algorithm:SHA2-256
Diffie-Hellman Group:16

Changing your IP

This configuration requires that you update the <vpn_peers> table and the remote_gw with the new address of the laptop whenever it changes. This can be a pain, but is better then leaving the service open to the world.

Further Resources


Any source in this article is released under the ISC License.