DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 18th May 2018
vns3 vns3 is offline
Port Guard
 
Join Date: Sep 2017
Posts: 11
Default Question about ikev2, Unbound and routing DNS request through a VPN

I have been using OpenVPN for quite some time now and all though it works great I thought I would try using OpenIKED as it is in base. As a starting point I am using the configs from OpenIKED's site with no changes to the configs except my ip addresses. http://puffysecurity.com/wiki/openikedoffshore.html

Server:
Code:
    
ikev2 passive ipcomp esp \
        from 0.0.0.0/0 to 10.0.0.0/8 \
        from 0.0.0.0/0 to 172.16.0.0/12 \
        from 0.0.0.0/0 to 192.168.0.0/16 \
        local 127.88.32.103 peer any \
        srcid 127.88.32.103 \
        tag IKED
Client:
Code:
    ikev2 active ipcomp esp \
        from 10.0.0.0/8 to 0.0.0.0/0 \
        from 172.16.0.0/12 to 0.0.0.0/0 \
        from 192.168.0.0/16 to 0.0.0.0/0 \
        peer 127.88.32.103 \
        srcid behind.nat.host.example.com \
        tag IKED

I am using the same pf.conf's for now as well

SERVER:
Code:
    set reassemble yes
    set block-policy return
    set loginterface egress
    set skip on { lo, enc }

    match in all scrub (no-df random-id max-mss 1440)

    table <bruteforce> persist

    block in log
    block in quick from urpf-failed label uRPF
    block quick from <bruteforce>

    pass out all modulate state

    pass in on egress proto udp from any to any port { isakmp, ipsec-nat-t }
    pass in on egress proto { ah, esp }
    pass out on egress \
        from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } \
        to { ! 10.0.0.0/8, ! 172.16.0.0/12, ! 192.168.0.0/16 } \
        nat-to (egress)

    pass in quick inet proto icmp icmp-type { echoreq, unreach }

    pass in quick proto tcp from any \
        to (egress) port ssh \
        flags S/SA modulate state \
        (max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)
Client:
Code:
    set reassemble yes
    set block-policy return
    set loginterface egress
    set skip on { lo, enc }

    match in all scrub (no-df random-id max-mss 1440)

    table <bruteforce> persist

    block in log
    block in quick from urpf-failed label uRPF
    block quick from <bruteforce>

    pass out all modulate state

    pass in quick inet proto icmp icmp-type { echoreq, unreach }

    pass in quick proto tcp from any \
        to (egress) port ssh \
        flags S/SA modulate state \
        (max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)
My web traffic is being routed through the vpn and now I am moving on to using Unbound on the VPN server to handle DNS. The way I did this with OpenVPN is I would have Unbound running on the VPN server, listening on 127.0.0.1 and would redirect packets coming in on the vpn interface and headed for port 53 to 127.0.0.1, and Unbound would pick it up from there and resolve my DNS requests.

OpenIKED is a little different though as it appears there are no *separate ip addresses* for the VPN network.

I am a little stumped, and maybe mostly frustrated as I have spent the last few days, trying to come up with the right firewall rules to make this happen. I think though I am missing something, big and probably obvious.

So my questions are:
1. Using this setup is it possible to reroute DNS requests using just pf?
2. Do I need to add additional flows to iked.conf to make this happen?
3. In the man pages I can see that there are options to assign internal addresses to peers, will I need this to accomplish my goal?
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Unbound and states junkym OpenBSD General 3 22nd October 2016 10:03 PM
Unbound Database daemonbak OpenBSD General 2 21st July 2015 03:28 AM
Unbound Troubleshoot Peter_APIIT OpenBSD General 13 26th June 2015 02:00 AM
How-To : Vpn IKEv2 between a Windows 7 Road Warrior Host and an OpenBSD gateway wesley Guides 1 15th July 2013 04:38 PM
ikev2 between win7 and OpenBSD wesley OpenBSD Security 1 7th June 2012 06:14 AM


All times are GMT. The time now is 01:13 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick