|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
Question about ikev2, Unbound and routing DNS request through a VPN
I have been using OpenVPN for quite some time now and all though it works great I thought I would try using OpenIKED as it is in base. As a starting point I am using the configs from OpenIKED's site with no changes to the configs except my ip addresses. http://puffysecurity.com/wiki/openikedoffshore.html
Server: Code:
ikev2 passive ipcomp esp \ from 0.0.0.0/0 to 10.0.0.0/8 \ from 0.0.0.0/0 to 172.16.0.0/12 \ from 0.0.0.0/0 to 192.168.0.0/16 \ local 127.88.32.103 peer any \ srcid 127.88.32.103 \ tag IKED Code:
ikev2 active ipcomp esp \ from 10.0.0.0/8 to 0.0.0.0/0 \ from 172.16.0.0/12 to 0.0.0.0/0 \ from 192.168.0.0/16 to 0.0.0.0/0 \ peer 127.88.32.103 \ srcid behind.nat.host.example.com \ tag IKED I am using the same pf.conf's for now as well SERVER: Code:
set reassemble yes set block-policy return set loginterface egress set skip on { lo, enc } match in all scrub (no-df random-id max-mss 1440) table <bruteforce> persist block in log block in quick from urpf-failed label uRPF block quick from <bruteforce> pass out all modulate state pass in on egress proto udp from any to any port { isakmp, ipsec-nat-t } pass in on egress proto { ah, esp } pass out on egress \ from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } \ to { ! 10.0.0.0/8, ! 172.16.0.0/12, ! 192.168.0.0/16 } \ nat-to (egress) pass in quick inet proto icmp icmp-type { echoreq, unreach } pass in quick proto tcp from any \ to (egress) port ssh \ flags S/SA modulate state \ (max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global) Code:
set reassemble yes set block-policy return set loginterface egress set skip on { lo, enc } match in all scrub (no-df random-id max-mss 1440) table <bruteforce> persist block in log block in quick from urpf-failed label uRPF block quick from <bruteforce> pass out all modulate state pass in quick inet proto icmp icmp-type { echoreq, unreach } pass in quick proto tcp from any \ to (egress) port ssh \ flags S/SA modulate state \ (max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global) OpenIKED is a little different though as it appears there are no *separate ip addresses* for the VPN network. I am a little stumped, and maybe mostly frustrated as I have spent the last few days, trying to come up with the right firewall rules to make this happen. I think though I am missing something, big and probably obvious. So my questions are: 1. Using this setup is it possible to reroute DNS requests using just pf? 2. Do I need to add additional flows to iked.conf to make this happen? 3. In the man pages I can see that there are options to assign internal addresses to peers, will I need this to accomplish my goal? |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Unbound and states | junkym | OpenBSD General | 3 | 22nd October 2016 10:03 PM |
Unbound Database | daemonbak | OpenBSD General | 2 | 21st July 2015 03:28 AM |
Unbound Troubleshoot | Peter_APIIT | OpenBSD General | 13 | 26th June 2015 02:00 AM |
How-To : Vpn IKEv2 between a Windows 7 Road Warrior Host and an OpenBSD gateway | wesley | Guides | 1 | 15th July 2013 04:38 PM |
ikev2 between win7 and OpenBSD | wesley | OpenBSD Security | 1 | 7th June 2012 06:14 AM |