A Simple OpenIKEd mac-to-site VPN
How to setup a simple mac-to-site OpenIKEd based VPN on OpenBSD
I have a mac laptop that, on occasion, I like to be able to connect to my home network while I am away. On my router I use OpenIKEd running on OpenBSD if it wasn’t obvious from my previous post. This post is an outline of what you need to do to get them to work together. It is not intended to be exhaustive. The goal is to produce a good base configuration which you can tune to your own liking.
- Public facing router running OpenBSD 6.2 or later
- A remote mac running MacOS 10.12.0 or later
- Apple Configurator 2
Note: Other versions will likely work as well, though they may require minor changes.
In this example we will be connecting the laptop to the router via a VPN while configuring it to appear as though it is on the local network. Minimal restrictions will be applied to the laptops access. I recommend you apply sensible restrictions in your implementation.
- Identifier: mac.example.com
- Public Address: 184.108.40.206
- VPN Address: 10.1.0.1
- Identifier: router.example.com
- Public Address: 220.127.116.11
- Local Subnet: 10.0.0.0/24
- VPN Subnet: 10.1.0.0/31
using the pre-shared key:
This setup assumes openIKEd is already setup in a similar manner to my previous post.
Configuring the Router
Add the remote computer to you
Add the remote address to your
Configuring the Mac
Open Apple Configurator 2. Create a new profile. Setup the general section as you like. Go to VPN. Configure:
|Enable perfect forward secrecy:|
IKE SA Params
Child SA Params
Changing your IP
This configuration requires that you update the
<vpn_peers> table and the
remote_gw with the new address of the laptop whenever it changes. This can be a pain, but is better then leaving the service open to the world.
Any source in this article is released under the ISC License.