On Mon, Apr 29, 2024 at 01:47:45AM +0200, Odd Martin Baanrud said:
>I'm planning to set up a VPN on my router with iked(8).
>The first goal is to have my Macbook and iPhone connected, both to route the traffic thrugh my router at home, and to get access to the services running on a machine behind the router.
I've been doing this for the better part of a decade, it works well. I
have some information here:
https://www.going-flying.com/blog/protecting-my-macos-and-ios-devices-with-an-openbsd-vpn.html
>In my case, I guess X.509 is the way to go regarding authentication.
>The FAQ tells how to create the nececery stuff, so that's ok.
>But what kind of domain to use for the file names?
I use my internal network domain names. It doesn't really matter as
long as both sides agree and the cert validates to a trusted root.
>Can the created client X.509 bundle be used directly on iPhone and Mac?
I create a profile that installs the CA chain which I use on my macOS
and iOS devices. I then create a per-device profile with the specific
VPN configuration for that device, including the IDs and device cert/key
pair. You may need to export the generated cert and key as a PKCS12
bundle if you are going to do that.
>Regarding PF:
>Now I have a general match rule for NAT, which NAT's traffic from all NICs.
>Is it enough to do NAT for the VPN traffic, or do I need to implement a separate rule for that purpose?
I use a single match rule outbound on the egress interface to enable NAT
if the packet is going from my RFC-1918 IP space (including the VPN range)
to ! my RFC-1918 IP space.
--Matt
--
Please direct replies to the list.
No comments:
Post a Comment