DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 18th May 2018
vns3 vns3 is offline
Port Guard
 
Join Date: Sep 2017
Posts: 11
Default Question about ikev2, Unbound and routing DNS request through a VPN

I have been using OpenVPN for quite some time now and all though it works great I thought I would try using OpenIKED as it is in base. As a starting point I am using the configs from OpenIKED's site with no changes to the configs except my ip addresses. http://puffysecurity.com/wiki/openikedoffshore.html

Server:
Code:
    
ikev2 passive ipcomp esp \
        from 0.0.0.0/0 to 10.0.0.0/8 \
        from 0.0.0.0/0 to 172.16.0.0/12 \
        from 0.0.0.0/0 to 192.168.0.0/16 \
        local 127.88.32.103 peer any \
        srcid 127.88.32.103 \
        tag IKED
Client:
Code:
    ikev2 active ipcomp esp \
        from 10.0.0.0/8 to 0.0.0.0/0 \
        from 172.16.0.0/12 to 0.0.0.0/0 \
        from 192.168.0.0/16 to 0.0.0.0/0 \
        peer 127.88.32.103 \
        srcid behind.nat.host.example.com \
        tag IKED

I am using the same pf.conf's for now as well

SERVER:
Code:
    set reassemble yes
    set block-policy return
    set loginterface egress
    set skip on { lo, enc }

    match in all scrub (no-df random-id max-mss 1440)

    table <bruteforce> persist

    block in log
    block in quick from urpf-failed label uRPF
    block quick from <bruteforce>

    pass out all modulate state

    pass in on egress proto udp from any to any port { isakmp, ipsec-nat-t }
    pass in on egress proto { ah, esp }
    pass out on egress \
        from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } \
        to { ! 10.0.0.0/8, ! 172.16.0.0/12, ! 192.168.0.0/16 } \
        nat-to (egress)

    pass in quick inet proto icmp icmp-type { echoreq, unreach }

    pass in quick proto tcp from any \
        to (egress) port ssh \
        flags S/SA modulate state \
        (max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)
Client:
Code:
    set reassemble yes
    set block-policy return
    set loginterface egress
    set skip on { lo, enc }

    match in all scrub (no-df random-id max-mss 1440)

    table <bruteforce> persist

    block in log
    block in quick from urpf-failed label uRPF
    block quick from <bruteforce>

    pass out all modulate state

    pass in quick inet proto icmp icmp-type { echoreq, unreach }

    pass in quick proto tcp from any \
        to (egress) port ssh \
        flags S/SA modulate state \
        (max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)
My web traffic is being routed through the vpn and now I am moving on to using Unbound on the VPN server to handle DNS. The way I did this with OpenVPN is I would have Unbound running on the VPN server, listening on 127.0.0.1 and would redirect packets coming in on the vpn interface and headed for port 53 to 127.0.0.1, and Unbound would pick it up from there and resolve my DNS requests.

OpenIKED is a little different though as it appears there are no *separate ip addresses* for the VPN network.

I am a little stumped, and maybe mostly frustrated as I have spent the last few days, trying to come up with the right firewall rules to make this happen. I think though I am missing something, big and probably obvious.

So my questions are:
1. Using this setup is it possible to reroute DNS requests using just pf?
2. Do I need to add additional flows to iked.conf to make this happen?
3. In the man pages I can see that there are options to assign internal addresses to peers, will I need this to accomplish my goal?
Reply With Quote
  #2   (View Single Post)  
Old 18th May 2018
vns3 vns3 is offline
Port Guard
 
Join Date: Sep 2017
Posts: 11
Default UPDATE

I have it working, it turned out I needed to assign ip addresses (duh!) to the server and the client in iked.conf, which is in the iked.conf man page under the AUTOMATIC KEYRING POLICIES heading:

Code:
config option address
    Send one or more optional configuration payloads (CP) to the peer. 
    The configuration option can be one of the following with the expected
    address format:

    address address
        Assign a static address on the internal network.

    address address/prefix
        Assign a dynamic address on the internal network. The address 
        will be assigned from an address pool with the size specified by prefix.

    netmask netmask
        The IPv4 netmask of the internal network.

    name-server address
    The DNS server address within the internal network.

    netbios-server address
    The NetBIOS name server (WINS) within the internal network. This option is provided for
     compatibility with legacy clients.

    dhcp-server address
    The address of an internal DHCP server for further configuration.

    protected-subnet address/prefix
    The address of the protected subnet within the internal network.

    access-server address
    The address of an internal remote access server.
After setting a static address, netmask on both, and a name-server on the client in iked.conf, it was easy to route the DNS traffic through pf.

Are Tea Eff Im
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Unbound and states junkym OpenBSD General 3 22nd October 2016 10:03 PM
Unbound Database daemonbak OpenBSD General 2 21st July 2015 03:28 AM
Unbound Troubleshoot Peter_APIIT OpenBSD General 13 26th June 2015 02:00 AM
How-To : Vpn IKEv2 between a Windows 7 Road Warrior Host and an OpenBSD gateway wesley Guides 1 15th July 2013 04:38 PM
ikev2 between win7 and OpenBSD wesley OpenBSD Security 1 7th June 2012 06:14 AM


All times are GMT. The time now is 11:54 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick