A Simple OpenIKEd mac-to-site VPN

How to setup a simple mac-to-site OpenIKEd based VPN on OpenBSD

February 11
2019

I have a mac laptop that, on occasion, I like to be able to connect to my home network while I am away. On my router I use OpenIKEd running on OpenBSD if it wasn’t obvious from my previous post. This post is an outline of what you need to do to get them to work together. It is not intended to be exhaustive. The goal is to produce a good base configuration which you can tune to your own liking.

Requirements

  • Public facing router running OpenBSD 6.2 or later
  • A remote mac running MacOS 10.12.0 or later
  • Apple Configurator 2

Note: Other versions will likely work as well, though they may require minor changes.

Sample Data

In this example we will be connecting the laptop to the router via a VPN while configuring it to appear as though it is on the local network. Minimal restrictions will be applied to the laptops access. I recommend you apply sensible restrictions in your implementation.

Laptop:

  • Identifier: mac.example.com
  • Public Address: 1.2.3.4
  • VPN Address: 10.1.0.1

Router:

  • Identifier: router.example.com
  • Public Address: 5.6.7.8
  • Local Subnet: 10.0.0.0/24
  • VPN Subnet: 10.1.0.0/31

using the pre-shared key:

0jGsrzx1i*)J8]$0XQT~+*Y!{)mw@+uuF7Lim<[VGq?K&~i!=9!;@DT0h{QLuC}6

This setup assumes openIKEd is already setup in a similar manner to my previous post.

Configuring the Router

OpenIKEd

Add the remote computer to you iked.conf.

in /etc/iked.conf on 5.6.7.8
local_id		= "router.example.com"
local_gw		= "5.6.7.8"
local_net		= "10.0.0.0/24"

remote_id		= "mac.example.com"
remote_gw		= "1.2.3.4"
remote_addr		= "10.1.0.1"
remote_state	= "passive"
remote_tap		= "enc0"
below macros in /etc/iked.conf on 5.6.7.8
ikev2 "mac-site" $remote_state esp \
	from $remote_addr ($remote_gw) to $local_gw \
	from $remote_addr ($remote_gw) to $local_net \
	from $local_gw to $remote_addr \
	from $local_net to $remote_addr \
	local $local_gw peer $remote_gw \
	ikesa enc aes-256 group modp4096 auth hmac-sha2-512 prf hmac-sha2-512 \
	childsa enc aes-256-gcm group modp4096 \
	srcid $local_id dstid $remote_id \
	psk "0jGsrzx1i*)J8]$0XQT~+*Y!{)mw@+uuF7Lim<[VGq?K&~i!=9!;@DT0h{QLuC}6" \
	config address $remote_addr \
	tag "$name-$id" tap $remote_tap

pf

Add the remote address to your vpn_peers table.

in /etc/pf.conf on 5.6.7.8
table <vpn_peers> const { 1.2.3.4 }

Configuring the Mac

Open Apple Configurator 2. Create a new profile. Setup the general section as you like. Go to VPN. Configure:

Connection Name:Whatever you want it to be labeled
Connection Type:IKEv2
Server:5.6.7.8
Remote Identifier:router.example.com
Local Identifier:mac.example.com
Machine Authentication:Shared Secret
Shared Secret:0jGsrzx1i*)J8]$0XQT~+*Y!{)mw@+uuF7Lim<[VGq?K&~i!=9!;@DT0h{QLuC}6
Enable perfect forward secrecy:true

IKE SA Params

Encryption Algorithm:AES-256
Integrity Algorithm:SHA2-512
Diffie-Hellman Group:16

Child SA Params

Encryption Algorithm:AES-256-GCM
Integrity Algorithm:SHA2-256
Diffie-Hellman Group:16

Changing your IP

This configuration requires that you update the <vpn_peers> table and the remote_gw with the new address of the laptop whenever it changes. This can be a pain, but is better then leaving the service open to the world.

Further Resources

License

Any source in this article is released under the ISC License.