On Fri, Jul 03, 2015 at 12:20:01PM -0400, trondd wrote: > I'll jump into the current iked/ipsec/VPN discussions going on. > > I have used iked to create a road warrior VPN from my OpenBSD laptop to an > OpenBSD server in a remote data center. All connections between the two are > correctly going through the VPN. > > What I want to do is force all traffic from the laptop through VPN and exit > to the internet from the server. Does that require a pseudo device tunnel? > How do I create a tunnel through a firewall where one end point is NATed? I > can control the firewall on my network (also OpenBSD) but will it work from, > say, a hotel?
My current setup does exactly what you describe with several endpoints, iked, ospfd, gif, bridge, vether and pf. There are a few documents available with a quick search but "man gif" is a great place to start since it documents tunneling using etherip and IPSec. I use ospfd to inject multiple default gateway routes into the local routing table. If a given IPSec tunnel goes down the associated default gateway is removed from the local routing table. In this way it's self healing since other tunnels and default gateway routes should still be available. There are occasional quirks with ospfd but this setup works quite well with my use case which is also currently configured as a full-mesh vpn. I'm fairly certain this configuration has been previously discussed on the list. > > I feel like this has to have been solved and can't be that hard. And > without using openVPN to do it... > > Tim.
