## Server configuration [[#iked.conf]] ### iked.conf Add this to /etc/iked.conf (replace **vpn_user_name** and **vpn_user_password** with the username and password you will use to connect, and replace **203.0.113.5** with your server's public IP address and **vpn.ircnow.org** with vpn.your.domain, i.e.: vpn.user.host.ircnow.org): doas vi /etc/iked.conf ---- vpn_user_name = "vpn-user" vpn_user_password = "vpn-password" remote_gw = "203.0.113.5" vpn_id = "vpn.ircnow.org" client_pool = "10.0.5.0/24" client_dns = "203.0.113.5" user $vpn_user_name $vpn_user_password ikev2 'user_vpn' passive esp \ from any to dynamic \ local $remote_gw peer any \ srcid $vpn_id \ eap "mschap-v2" \ config address $client_pool \ config name-server $client_dns \ tag "ROADW" The value for the vpn_id macro parameter MUST be different from your IRCnow hostname. For example, if your IRCNow hostname is "user.host.ircnow.org", you should pick something like "vpn.user.host.ircnow.org". Whatever you pick should be a valid hostname that resolves to an IP address. The 'from' rule allows any user to connect. The name-server provides the name-server that vpn clients will use. So in this example, you must have a valid caching name server running on IP 203.0.113.5. Note that these packets will get tagged as ROADW. ### pf.conf iked depends upon packet filter being enabled. First, you must make sure to enable packet filter if it is off: doas pfctl -e Add this to /etc/pf.conf: doas vi /etc/pf.conf ---- pass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED pass in inet proto esp tag IKED pass on enc0 inet tagged ROADW match out on $ext_if inet tagged ROADW nat-to ext_if match in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53 where **ext_if** is your external interface. To find your external interface, type: ifconfig The external interface is the one with the public IP address. If OpenBSD is run on a virtual machine, the external interface is probably vio0. To reload the new pf ruleset: doas pfctl -f /etc/pf.conf ### Certificates At this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. From the command line, run: # ikectl ca vpn create # ikectl ca vpn install _certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt_\\ _CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl_ # ikectl ca vpn certificate vpn.user.host.ircnow.org create # ikectl ca vpn certificate vpn.user.host.ircnow.org install _writing RSA key_ Replace **vpn.user.host.ircnow.org** with the hostname you picked for the value of **vpn_id** in [ iked.conf](/#iked.conf ). ## Client configuration