Hello,
I have a semi-working vpn from Windows 10 client to OpenBSD 6.4
running iked using machine certificates authentication method.
When I connect to the VPN, I can ping from Win 10 to the ip address of
enc0 on the other side (10.1.0.2). Unbound is listening on that ip
address, and DNS queries from my Windows 10 machine get to the unbound
and work correctly.
Unfortunately, regular web browsing from the Windows 10 PC does not
work. It appears the VPN or else my pf rules are not directing the
traffic back out of the egress interface, but I can't figure out why.
Likewise if I start a ping to a public IP address while the VPN is
running, the ping doesn't work. I do have net.inet.ip.forwarding=1
enabled in /etc/sysctl.conf. If I do the same ping without the VPN,
it works fine.
I have tried a few things as I'm having trouble understanding
basic VPN concepts, and therefore I can't seem to understand what might
be the cause of the problem.
1. Put a line "from 0.0.0.0/0 to 10.2.0.0/24" into the configuration.
2. Remove the "configure address 10.2.0.1/24" line
3. Various incarnations with/without srcid or "local <server ip> peer any"
4. Turning off Windows firewall
5. Trying to pass more and more traffic through pf
6. Rearranging the match out...nat-to lines at the bottom of pf.conf
My iked.conf and pf.conf configurations are down below.
Also some info about the vpn ca and certificates--The server cert CN is
the server ip. It's also named the server ip. The Windows 10 cert is
just named desktop-xxxx and the CN is the same. The CA cert is on the
machine store Trusted Auth. The desktop-xxxx cert is on the machine
store Personal.
Is there anything obviously wrong in the configuration? Can anyone point
me in the direction of the mistake?
Any help would be greatly appreciated. Thanks in advance.
V/r,
Bryan
# $OpenBSD: iked.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $
#
# See iked.conf(5) for syntax and examples.
ikev2 "win10" passive esp \
from 10.1.0.0/24 to 10.2.0.0/24 \
local any peer any \
srcid ...OMITTED... \
config address 10.2.0.1/24 \
config name-server 10.1.0.2 \
tag "$name-$id"
# $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
ssh_nets="{ ...OMITTED... }"
set skip on { lo0, enc0 }
set limit table-entries 400000
# rules for spamd(8)
table <spamd-white> persist
table <common_white> persist file "/etc/mail/common_domains_white"
table <nospamd> persist file "/etc/mail/nospamd"
table <bgp-spamd-bypass> persist
block drop log all
antispoof for egress
match in all scrub (no-df max-mss 1440)
pass quick inet proto icmp icmp-type { echoreq, unreach }
pass in on egress inet proto tcp from $ssh_nets to egress:0 port 22
pass in on egress inet proto udp from any to egress:0 port 53
pass in on egress inet proto tcp from any to egress:0 \
port { 53 80 443 }
pass in on egress inet proto tcp from $ssh_nets to egress:0 \
port { 465 587 993 }
pass in on egress proto { ah, esp } from any to any
pass in on egress proto udp from any to any port { 500, 4500 }
pass in on egress inet proto tcp from any to any port smtp \
rdr-to lo0 port spamd
pass in on egress inet proto tcp from <nospamd> to any port smtp \
rdr-to lo0 port smtp
pass in log on egress inet proto tcp from <spamd-white> to any \
port smtp rdr-to lo0 port smtp
pass in log on egress inet proto tcp from <common_white> to any \
port smtp rdr-to lo0 port smtp
pass in log quick on egress inet proto tcp from <bgp-spamd-bypass> \
to any port smtp rdr-to lo0 port smtp
pass on { vether tap }
pass out all
match out on egress inet from vether0:network nat-to (egress)
match out on egress inet from enc0:network nat-to (egress)
