Last active
September 10, 2021 17:42
-
-
Save northox/a34b14d4d9eb0c4db9eb8e34b2bef06f to your computer and use it in GitHub Desktop.
OpenBSD's OpenIKEd roadwarrior VPN config for Ipad and such
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ikev2 "inet" passive ipcomp esp \ | |
| from 0.0.0.0/0 to 10.0.1.0/24 \ | |
| from 10.0.0.0/24 to 10.0.1.0/24 \ | |
| local egress peer any \ | |
| srcid egress \ | |
| psk "strong-password" \ | |
| config protected-subnet 0.0.0.0/0 \ | |
| config address 10.0.1.0/24 \ | |
| config name-server 10.0.0.1 \ | |
| tag IKED |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| intra = "vio1" | |
| vpn = "enc0" | |
| set reassemble yes | |
| set block-policy return | |
| set loginterface egress | |
| set skip on { lo, enc } | |
| match in all scrub (no-df random-id max-mss 1440) | |
| table <ossec_fwtable> persist | |
| table <fuckers> persist file "/etc/fuckers" | |
| block in quick on egress from <fuckers> label "bad" | |
| block out quick on egress to <fuckers> label "bad" | |
| block in quick on egress from <ossec_fwtable> label "bad" | |
| block out quick on egress to <ossec_fwtable> label "bad" | |
| block in quick from urpf-failed label uRPF | |
| block return log | |
| pass out all modulate state | |
| pass in on egress proto { ah, esp } | |
| pass in on egress proto udp to (egress) port { isakmp, ipsec-nat-t } | |
| pass out on egress from 10.0.1.0/24 to any nat-to (egress) | |
| pass out on $intra from 10.0.1.0/24 to $intra:network nat-to ($intra) | |
| pass in quick inet proto icmp icmp-type { echoreq, unreach } | |
| pass in on egress proto tcp from any to (egress) port 22 keep state (max-src-conn 40, max-src-conn-rate 10/30, overload <fuckers> flush global) | |
| pass in on $intra proto { udp tcp } from any to ($intra) port 53 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| net.inet.esp.enable=1 | |
| net.inet.ah.enable=1 | |
| net.inet.ip.forwarding=1 | |
| net.inet.ipcomp.enable=1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| inet 10.0.1.1 255.255.255.0 10.0.1.255 | |
| up |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment