Question about ikev2, Unbound and routing DNS request through a VPN

[vns3]

I have been using OpenVPN for quite some time now and all though it works great I thought I would try using OpenIKED as it is in base. As a starting point I am using the configs from OpenIKED's site with no changes to the configs except my ip addresses. http://puffysecurity.com/wiki/openikedoffshore.html

Server:

Code:

    
ikev2 passive ipcomp esp \
        from 0.0.0.0/0 to 10.0.0.0/8 \
        from 0.0.0.0/0 to 172.16.0.0/12 \
        from 0.0.0.0/0 to 192.168.0.0/16 \
        local 127.88.32.103 peer any \
        srcid 127.88.32.103 \
        tag IKED

Client:

Code:

    ikev2 active ipcomp esp \
        from 10.0.0.0/8 to 0.0.0.0/0 \
        from 172.16.0.0/12 to 0.0.0.0/0 \
        from 192.168.0.0/16 to 0.0.0.0/0 \
        peer 127.88.32.103 \
        srcid behind.nat.host.example.com \
        tag IKED

I am using the same pf.conf's for now as well

SERVER:

Code:

    set reassemble yes
    set block-policy return
    set loginterface egress
    set skip on { lo, enc }

    match in all scrub (no-df random-id max-mss 1440)

    table <bruteforce> persist

    block in log
    block in quick from urpf-failed label uRPF
    block quick from <bruteforce>

    pass out all modulate state

    pass in on egress proto udp from any to any port { isakmp, ipsec-nat-t }
    pass in on egress proto { ah, esp }
    pass out on egress \
        from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } \
        to { ! 10.0.0.0/8, ! 172.16.0.0/12, ! 192.168.0.0/16 } \
        nat-to (egress)

    pass in quick inet proto icmp icmp-type { echoreq, unreach }

    pass in quick proto tcp from any \
        to (egress) port ssh \
        flags S/SA modulate state \
        (max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)

Client:

Code:

    set reassemble yes
    set block-policy return
    set loginterface egress
    set skip on { lo, enc }

    match in all scrub (no-df random-id max-mss 1440)

    table <bruteforce> persist

    block in log
    block in quick from urpf-failed label uRPF
    block quick from <bruteforce>

    pass out all modulate state

    pass in quick inet proto icmp icmp-type { echoreq, unreach }

    pass in quick proto tcp from any \
        to (egress) port ssh \
        flags S/SA modulate state \
        (max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)

My web traffic is being routed through the vpn and now I am moving on to using Unbound on the VPN server to handle DNS. The way I did this with OpenVPN is I would have Unbound running on the VPN server, listening on 127.0.0.1 and would redirect packets coming in on the vpn interface and headed for port 53 to 127.0.0.1, and Unbound would pick it up from there and resolve my DNS requests.

OpenIKED is a little different though as it appears there are no *separate ip addresses* for the VPN network.

I am a little stumped, and maybe mostly frustrated as I have spent the last few days, trying to come up with the right firewall rules to make this happen. I think though I am missing something, big and probably obvious.

So my questions are:
1. Using this setup is it possible to reroute DNS requests using just pf?
2. Do I need to add additional flows to iked.conf to make this happen?
3. In the man pages I can see that there are options to assign internal addresses to peers, will I need this to accomplish my goal?