documentation:examples:gre_ipsec_and_openvpn
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision | ||
documentation:examples:gre_ipsec_and_openvpn [2020/09/14 21:57] – [Router 4] olivier | documentation:examples:gre_ipsec_and_openvpn [2023/07/10 12:40] – [Router 2] olivier | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== VPN with GRE, GIF, IPSec, OpenVPN and Wireguard ====== | ====== VPN with GRE, GIF, IPSec, OpenVPN and Wireguard ====== | ||
- | This lab shows some VPN examples with BSDRP 1.97. | + | This lab shows some VPN examples with BSDRP 1.991. |
===== Presentation ===== | ===== Presentation ===== | ||
Line 250: | Line 250: | ||
service routing restart | service routing restart | ||
config save | config save | ||
+ | </ | ||
+ | |||
+ | Take care of avoiding fragmentation, | ||
+ | < | ||
+ | set skip on lo0 | ||
+ | scrub on gif1 inet all max-mss 1200 | ||
+ | scrub on gif1 inet6 all max-mss 1180 | ||
+ | pass | ||
</ | </ | ||
==== Router 4 ==== | ==== Router 4 ==== | ||
Line 676: | Line 684: | ||
Using Strongswan, the SP will be installed automatically and the SA will be negotiated by strongswan. | Using Strongswan, the SP will be installed automatically and the SA will be negotiated by strongswan. | ||
- | |||
- | Strongswan use Left (for Local) and Right (for Remote). | ||
=== Router 2 === | === Router 2 === | ||
Configure strongswan on VM2 with: | Configure strongswan on VM2 with: | ||
- | * IKEv2 | + | * IKEv2 (version = 2) |
- | * Preshared-key | + | * Preshared-key |
- | * Disabling Mobile IP | + | * Disabling Mobile IP (mobike = no) |
- | * forcing the tunnel going UP (auto=start) | + | * forcing the tunnel going UP (start_action |
* configuring Dead-Peer-Detection at 5 seconds | * configuring Dead-Peer-Detection at 5 seconds | ||
< | < | ||
- | cat > / | + | cat > / |
- | config setup | + | connections { |
+ | net-net { | ||
+ | local_addrs = 10.0.23.2 | ||
+ | remote_addrs = 10.0.34.4 | ||
+ | local { | ||
+ | auth = psk | ||
+ | id = vm2 | ||
+ | } | ||
+ | remote { | ||
+ | auth = psk | ||
+ | id = vm4 | ||
+ | } | ||
+ | children { | ||
+ | net-net { | ||
+ | local_ts | ||
+ | remote_ts = 10.0.45.0/ | ||
+ | start_action = trap | ||
+ | } | ||
+ | } | ||
+ | version = 2 | ||
+ | mobike = no | ||
+ | dpd_delay = 5s | ||
+ | } | ||
+ | } | ||
- | conn %default | + | secrets { |
- | authby=secret | + | ike-1 { |
- | | + | |
- | | + | |
- | | + | } |
- | | + | } |
- | + | EOF | |
- | conn VM4 | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | rightsubnet=10.0.45.0/ | + | |
- | rightid=VM4 | + | |
- | auto=start | + | |
- | 'EOF' | + | |
</ | </ | ||
- | Then define the password to use for the remote site: | + | Enable strongswan: |
< | < | ||
- | cat > / | + | service strongswan enable |
- | VM4 VM2 : PSK "This is a strong password" | + | service strongswan restart |
- | ' | + | |
</ | </ | ||
- | Enable strongswan: | + | And check if it correctly loaded its configuration: |
< | < | ||
- | sysrc strongswan_enable=YES | + | root@VM2:~ # swanctl --list-conns |
- | service strongswan restart | + | net-net: IKEv2, no reauthentication, |
+ | local: | ||
+ | remote: 10.0.34.4 | ||
+ | local pre-shared key authentication: | ||
+ | id: vm2 | ||
+ | remote pre-shared key authentication: | ||
+ | id: vm4 | ||
+ | net-net: TUNNEL, rekeying every 3600s | ||
+ | local: | ||
+ | remote: 10.0.45.0/ | ||
</ | </ | ||
Line 731: | Line 758: | ||
* Preshared-key | * Preshared-key | ||
* Disabling Mobile IP | * Disabling Mobile IP | ||
- | * automatic traffic detection | + | * automatic traffic detection |
* configuring Dead-Peer-Detection at 5 seconds | * configuring Dead-Peer-Detection at 5 seconds | ||
< | < | ||
- | cat > / | + | cat > / |
- | config setup | + | connections { |
+ | net-net { | ||
+ | remote_addrs = 10.0.23.2 | ||
+ | local_addrs = 10.0.34.4 | ||
+ | remote { | ||
+ | auth = psk | ||
+ | id = vm2 | ||
+ | } | ||
+ | local { | ||
+ | auth = psk | ||
+ | id = vm4 | ||
+ | } | ||
+ | children { | ||
+ | net-net { | ||
+ | remote_ts | ||
+ | local_ts = 10.0.45.0/ | ||
+ | start_action = trap | ||
+ | } | ||
+ | } | ||
+ | version = 2 | ||
+ | mobike = no | ||
+ | dpd_delay = 5s | ||
+ | } | ||
+ | } | ||
- | conn %default | + | secrets { |
- | | + | ike-1 { |
- | | + | |
- | | + | |
- | | + | } |
- | | + | } |
- | conn VM2 | + | EOF |
- | left=10.0.34.4 | + | |
- | leftsubnet=10.0.45.0/ | + | |
- | leftid=VM4 | + | |
- | right=10.0.23.2 | + | |
- | rightsubnet=10.0.12.0/ | + | |
- | rightid=VM2 | + | |
- | auto=route | + | |
- | 'EOF' | + | |
- | </ | + | |
- | Then define the password to use for the remote site: | ||
- | |||
- | < | ||
- | cat > / | ||
- | VM4 VM2 : PSK "This is a strong password" | ||
- | ' | ||
</ | </ | ||
Line 766: | Line 801: | ||
< | < | ||
- | sysrc strongswan_enable=YES | + | service strongswan enable |
service strongswan restart | service strongswan restart | ||
+ | </ | ||
+ | |||
+ | And check the status: | ||
+ | < | ||
+ | root@VM4: # swanctl --list-conns | ||
+ | net-net: IKEv2, no reauthentication, | ||
+ | local: | ||
+ | remote: 10.0.23.2 | ||
+ | local pre-shared key authentication: | ||
+ | id: vm4 | ||
+ | remote pre-shared key authentication: | ||
+ | id: vm2 | ||
+ | net-net: TUNNEL, rekeying every 3600s | ||
+ | local: | ||
+ | remote: 10.0.12.0/ | ||
+ | |||
+ | root@VM4: # grep charon / | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | nstraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf curve25519 xcbc cmac hmac kdf gcm drbg curl attr kernel-pf | ||
+ | key kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whit | ||
+ | elist addrblock counters | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:45 router charon[79963]: | ||
+ | Jul 8 12:39:45 router charon[79963]: | ||
+ | Jul 8 12:39:45 router charon[79963]: | ||
</ | </ | ||
Line 796: | Line 866: | ||
00: | 00: | ||
00: | 00: | ||
- | </ | ||
- | |||
- | Log file on VM2: | ||
- | < | ||
- | [root@VM2]~# | ||
- | Jun 8 00:24:28 VM2 ipsec_starter[981]: | ||
- | Jun 8 00:24:28 VM2 ipsec_starter[981]: | ||
- | Jun 8 00:24:28 VM2 ipsec_starter[981]: | ||
- | Jun 8 00:24:28 VM2 ipsec_starter[984]: | ||
- | Jun 8 00:25:26 VM2 login: login on ttyu0 as root | ||
- | Jun 8 00:25:26 VM2 login: ROOT LOGIN (root) ON ttyu0 | ||
- | Jun 8 00:34:53 VM2 charon: 12[IKE] initiating IKE_SA VM4[1] to 10.0.34.4 | ||
- | Jun 8 00:34:53 VM2 charon: 12[IKE] establishing CHILD_SA VM4 | ||
- | Jun 8 00:34:53 VM2 charon: 12[IKE] IKE_SA VM4[1] established between 10.0.23.2[VM2]...10.0.34.4[VM4] | ||
- | Jun 8 00:34:53 VM2 charon: 12[IKE] CHILD_SA VM4{1} established with SPIs c6d01ce8_i c2357cdd_o and TS 10.0.12.0/ | ||
</ | </ | ||
Line 1007: | Line 1062: | ||
</ | </ | ||
- | ==== VM2: OpenVPN server | + | ==== Standard userland mode (slow) ==== |
+ | |||
+ | === VM2: OpenVPN server === | ||
Create the openvpn configuration file for server mode as / | Create the openvpn configuration file for server mode as / | ||
Line 1055: | Line 1112: | ||
< | < | ||
- | cat > / | + | cat > / |
client | client | ||
dev tun | dev tun | ||
remote 10.0.23.2 | remote 10.0.23.2 | ||
<ca> | <ca> | ||
- | 'EOF' | + | EOF |
cat / | cat / | ||
echo '</ | echo '</ | ||
Line 1070: | Line 1127: | ||
echo '</ | echo '</ | ||
</ | </ | ||
- | ==== VM4: OpenVPN client | + | |
+ | === VM4: OpenVPN client === | ||
As OpenVPN client, VM4 should get its openvpn configuration file (that embedded certificate and key) from VM2 and put them in / | As OpenVPN client, VM4 should get its openvpn configuration file (that embedded certificate and key) from VM2 and put them in / | ||
Line 1077: | Line 1135: | ||
< | < | ||
mkdir / | mkdir / | ||
- | scp 10.0.23.2:/ | + | scp 10.0.23.2:/ |
</ | </ | ||
- | |||
Enable and start openvpn: | Enable and start openvpn: | ||
Line 1086: | Line 1143: | ||
service openvpn start | service openvpn start | ||
</ | </ | ||
- | ==== Testing | + | |
+ | === Testing === | ||
Pinging VM5 from VM1: | Pinging VM5 from VM1: | ||
Line 1159: | Line 1217: | ||
16: | 16: | ||
16: | 16: | ||
+ | </ | ||
+ | |||
+ | ==== Data Channel Offload (DCO), kernel mode (fast) ==== | ||
+ | |||
+ | Start with a working userland configuration, | ||
+ | * Need to load if_ovpn module on both side | ||
+ | * Need to enable subnet topology on the server side | ||
+ | |||
+ | === VM2: OpenVPN server === | ||
+ | |||
+ | < | ||
+ | service openvpn stop | ||
+ | sysrc kld_list=" | ||
+ | kldload if_ovpn | ||
+ | echo " | ||
+ | service openvpn start | ||
+ | </ | ||
+ | |||
+ | === VM4: OpenVPN client === | ||
+ | |||
+ | < | ||
+ | service openvpn stop | ||
+ | sysrc kld_list=" | ||
+ | kldload if_ovpn | ||
+ | service openvpn start | ||
+ | </ | ||
+ | |||
+ | === Testing === | ||
+ | |||
+ | Pinging VM5 from VM1: | ||
+ | < | ||
+ | root@VM1:~ # ping -c 2 10.0.45.5 | ||
+ | PING 10.0.45.5 (10.0.45.5): | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=1.700 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=1.629 ms | ||
+ | |||
+ | --- 10.0.45.5 ping statistics --- | ||
+ | 2 packets transmitted, | ||
+ | round-trip min/ | ||
+ | root@VM1:~ # ping -c 2 2001: | ||
+ | PING6(56=40+8+8 bytes) 2001: | ||
+ | 16 bytes from 2001: | ||
+ | 16 bytes from 2001: | ||
+ | |||
+ | --- 2001: | ||
+ | 2 packets transmitted, | ||
+ | round-trip min/ | ||
+ | |||
+ | </ | ||
+ | |||
+ | OpenVPN log file on VM2 (error installing route are due to DCO restriction): | ||
+ | < | ||
+ | Oct 4 18:29:40 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:40 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:40 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:40 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:40 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:40 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:41 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:41 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:41 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:41 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:41 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:41 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:41 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:41 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:41 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:41 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | </ | ||
+ | |||
+ | OpenVPN log file on VM4: | ||
+ | < | ||
+ | Oct 4 18:30:11 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:11 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:11 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:11 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:11 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:11 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:11 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:11 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:11 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:11 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:12 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:12 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:12 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:12 VM4 openvpn[86737]: | ||
</ | </ | ||
===== Wireguard ===== | ===== Wireguard ===== | ||
- | ==== Key pairs generation ==== | + | On current (14.0) needs only wireguard-tools (kernel module included), on older (12 or 13) needs wireguard-kmod. |
+ | ==== Key pairs generation | ||
The first step is to generate a couple of private and public keys on each wireguard endpoint. | The first step is to generate a couple of private and public keys on each wireguard endpoint. | ||
- | On VM2 and on VM4, generate the keys: | + | The standard way of generating |
< | < | ||
Line 1176: | Line 1336: | ||
</ | </ | ||
+ | But on this example, we will use static keys as example. | ||
==== Router 2 ==== | ==== Router 2 ==== | ||
- | Display router 2 private key, and router 4 public key. | + | Write example-only static |
< | < | ||
+ | echo " | ||
+ | echo " | ||
cat > / | cat > / | ||
[Interface] | [Interface] | ||
- | PrivateKey = 8Og1cCmvirK+zcGus/ | + | PrivateKey = oFsqDWpgtlma4Dy3YkPd918d3Nw9xdV9MBVn4YT1N38= |
ListenPort = 51820 | ListenPort = 51820 | ||
[Peer] | [Peer] | ||
- | PublicKey = FSvVqj2s1FZqsSIvPLrE1RRTgbaPLbfG87P36F21M1g= | + | PublicKey = o267Qf43WlVTawLq/ |
- | AllowedIPs = 10.0.45.0/ | + | AllowedIPs = 10.0.45.0/ |
Endpoint = 10.0.34.4: | Endpoint = 10.0.34.4: | ||
EOF | EOF | ||
Line 1199: | Line 1362: | ||
==== Router 4 ==== | ==== Router 4 ==== | ||
- | Display | + | Generate example-only |
< | < | ||
+ | echo " | ||
+ | echo " | ||
cat > / | cat > / | ||
[Interface] | [Interface] | ||
- | PrivateKey = ADfm6+sXZnoyDAkG/ | + | PrivateKey = 4HRXmxN77CVb5VykdNX6mqkzCh2ycu4hfWfYHTvkLGE= |
ListenPort = 51820 | ListenPort = 51820 | ||
[Peer] | [Peer] | ||
- | PublicKey = gaQij176wrz3g+2RTJ/S1oEnc7rx2reU1Z0Thrv4oXc= | + | PublicKey = z9wBhxr/K405uQeYnCoGRi6VGWu/ |
AllowedIPs = 10.0.12.0/ | AllowedIPs = 10.0.12.0/ | ||
Endpoint = 10.0.23.2: | Endpoint = 10.0.23.2: | ||
Line 1240: | Line 1405: | ||
2 packets transmitted, | 2 packets transmitted, | ||
round-trip min/ | round-trip min/ | ||
+ | </ | ||
+ | |||
+ | Are we using the kernel module? | ||
+ | < | ||
+ | root@VM2:~ # kldstat -v -n if_wg.ko | ||
+ | Id Refs Address | ||
+ | | ||
+ | Contains modules: | ||
+ | Id Name | ||
+ | 473 wg | ||
+ | </ | ||
+ | |||
+ | Displaying wg status on VM2: | ||
+ | < | ||
+ | root@VM2:~ # ifconfig wg0 | ||
+ | wg0: flags=80c1< | ||
+ | options=80000< | ||
+ | groups: wg | ||
+ | nd6 options=101< | ||
+ | root@VM2:~ # netstat -rn | grep " | ||
+ | Destination | ||
+ | 10.0.45.0/ | ||
+ | Destination | ||
+ | 2001: | ||
+ | root@VM2:~ # wg show | ||
+ | interface: wg0 | ||
+ | public key: z9wBhxr/ | ||
+ | private key: (hidden) | ||
+ | listening port: 51820 | ||
+ | |||
+ | peer: o267Qf43WlVTawLq/ | ||
+ | endpoint: 10.0.34.4: | ||
+ | allowed ips: 2001: | ||
+ | latest handshake: 32 seconds ago | ||
+ | transfer: 356 B received, 436 B sent | ||
</ | </ |
documentation/examples/gre_ipsec_and_openvpn.txt · Last modified: 2023/07/10 12:40 by olivier