|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
Question about ikev2, Unbound and routing DNS request through a VPN
I have been using OpenVPN for quite some time now and all though it works great I thought I would try using OpenIKED as it is in base. As a starting point I am using the configs from OpenIKED's site with no changes to the configs except my ip addresses. http://puffysecurity.com/wiki/openikedoffshore.html
Server: Code:
ikev2 passive ipcomp esp \ from 0.0.0.0/0 to 10.0.0.0/8 \ from 0.0.0.0/0 to 172.16.0.0/12 \ from 0.0.0.0/0 to 192.168.0.0/16 \ local 127.88.32.103 peer any \ srcid 127.88.32.103 \ tag IKED Code:
ikev2 active ipcomp esp \ from 10.0.0.0/8 to 0.0.0.0/0 \ from 172.16.0.0/12 to 0.0.0.0/0 \ from 192.168.0.0/16 to 0.0.0.0/0 \ peer 127.88.32.103 \ srcid behind.nat.host.example.com \ tag IKED I am using the same pf.conf's for now as well SERVER: Code:
set reassemble yes set block-policy return set loginterface egress set skip on { lo, enc } match in all scrub (no-df random-id max-mss 1440) table <bruteforce> persist block in log block in quick from urpf-failed label uRPF block quick from <bruteforce> pass out all modulate state pass in on egress proto udp from any to any port { isakmp, ipsec-nat-t } pass in on egress proto { ah, esp } pass out on egress \ from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } \ to { ! 10.0.0.0/8, ! 172.16.0.0/12, ! 192.168.0.0/16 } \ nat-to (egress) pass in quick inet proto icmp icmp-type { echoreq, unreach } pass in quick proto tcp from any \ to (egress) port ssh \ flags S/SA modulate state \ (max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global) Code:
set reassemble yes set block-policy return set loginterface egress set skip on { lo, enc } match in all scrub (no-df random-id max-mss 1440) table <bruteforce> persist block in log block in quick from urpf-failed label uRPF block quick from <bruteforce> pass out all modulate state pass in quick inet proto icmp icmp-type { echoreq, unreach } pass in quick proto tcp from any \ to (egress) port ssh \ flags S/SA modulate state \ (max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global) OpenIKED is a little different though as it appears there are no *separate ip addresses* for the VPN network. I am a little stumped, and maybe mostly frustrated as I have spent the last few days, trying to come up with the right firewall rules to make this happen. I think though I am missing something, big and probably obvious. So my questions are: 1. Using this setup is it possible to reroute DNS requests using just pf? 2. Do I need to add additional flows to iked.conf to make this happen? 3. In the man pages I can see that there are options to assign internal addresses to peers, will I need this to accomplish my goal? |
|
|||
UPDATE
I have it working, it turned out I needed to assign ip addresses (duh!) to the server and the client in iked.conf, which is in the iked.conf man page under the AUTOMATIC KEYRING POLICIES heading:
Code:
config option address Send one or more optional configuration payloads (CP) to the peer. The configuration option can be one of the following with the expected address format: address address Assign a static address on the internal network. address address/prefix Assign a dynamic address on the internal network. The address will be assigned from an address pool with the size specified by prefix. netmask netmask The IPv4 netmask of the internal network. name-server address The DNS server address within the internal network. netbios-server address The NetBIOS name server (WINS) within the internal network. This option is provided for compatibility with legacy clients. dhcp-server address The address of an internal DHCP server for further configuration. protected-subnet address/prefix The address of the protected subnet within the internal network. access-server address The address of an internal remote access server. Are Tea Eff Im |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Unbound and states | junkym | OpenBSD General | 3 | 22nd October 2016 10:03 PM |
Unbound Database | daemonbak | OpenBSD General | 2 | 21st July 2015 03:28 AM |
Unbound Troubleshoot | Peter_APIIT | OpenBSD General | 13 | 26th June 2015 02:00 AM |
How-To : Vpn IKEv2 between a Windows 7 Road Warrior Host and an OpenBSD gateway | wesley | Guides | 1 | 15th July 2013 04:38 PM |
ikev2 between win7 and OpenBSD | wesley | OpenBSD Security | 1 | 7th June 2012 06:14 AM |