I have been using OpenVPN for quite some time now and all though it works great I thought I would try using OpenIKED as it is in base. As a starting point I am using the configs from OpenIKED's site with no changes to the configs except my ip addresses.
http://puffysecurity.com/wiki/openikedoffshore.html
Server:
Code:
ikev2 passive ipcomp esp \
from 0.0.0.0/0 to 10.0.0.0/8 \
from 0.0.0.0/0 to 172.16.0.0/12 \
from 0.0.0.0/0 to 192.168.0.0/16 \
local 127.88.32.103 peer any \
srcid 127.88.32.103 \
tag IKED
Client:
Code:
ikev2 active ipcomp esp \
from 10.0.0.0/8 to 0.0.0.0/0 \
from 172.16.0.0/12 to 0.0.0.0/0 \
from 192.168.0.0/16 to 0.0.0.0/0 \
peer 127.88.32.103 \
srcid behind.nat.host.example.com \
tag IKED
I am using the same pf.conf's for now as well
SERVER:
Code:
set reassemble yes
set block-policy return
set loginterface egress
set skip on { lo, enc }
match in all scrub (no-df random-id max-mss 1440)
table <bruteforce> persist
block in log
block in quick from urpf-failed label uRPF
block quick from <bruteforce>
pass out all modulate state
pass in on egress proto udp from any to any port { isakmp, ipsec-nat-t }
pass in on egress proto { ah, esp }
pass out on egress \
from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } \
to { ! 10.0.0.0/8, ! 172.16.0.0/12, ! 192.168.0.0/16 } \
nat-to (egress)
pass in quick inet proto icmp icmp-type { echoreq, unreach }
pass in quick proto tcp from any \
to (egress) port ssh \
flags S/SA modulate state \
(max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)
Client:
Code:
set reassemble yes
set block-policy return
set loginterface egress
set skip on { lo, enc }
match in all scrub (no-df random-id max-mss 1440)
table <bruteforce> persist
block in log
block in quick from urpf-failed label uRPF
block quick from <bruteforce>
pass out all modulate state
pass in quick inet proto icmp icmp-type { echoreq, unreach }
pass in quick proto tcp from any \
to (egress) port ssh \
flags S/SA modulate state \
(max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)
My web traffic is being routed through the vpn and now I am moving on to using Unbound on the VPN server to handle DNS. The way I did this with OpenVPN is I would have Unbound running on the VPN server, listening on 127.0.0.1 and would redirect packets coming in on the vpn interface and headed for port 53 to 127.0.0.1, and Unbound would pick it up from there and resolve my DNS requests.
OpenIKED is a little different though as it appears there are no *separate ip addresses* for the VPN network.
I am a little stumped, and maybe mostly frustrated as I have spent the last few days, trying to come up with the right firewall rules to make this happen. I think though I am missing something, big and probably obvious.
So my questions are:
1. Using this setup is it possible to reroute DNS requests using just pf?
2. Do I need to add additional flows to iked.conf to make this happen?
3. In the man pages I can see that there are options to assign internal addresses to peers, will I need this to accomplish my goal?