VPN and Cryptographic Tunneling

Synopsis #

This chapter covers site-to-site virtual private networks (VPNs) and host-to-host cryptographic tunnels on OpenBSD. It focuses on IKEv2 using the base system iked(8) and the kernel IPsec stack ipsec(4) , with practical patterns for NAT traversal, selector design, and observability. It also shows a minimal pattern for WireGuard-style tunnels with the in-kernel interface wg(4) . Runtime management uses ikectl(8) , packet filtering is handled by pf.conf(5) and pfctl(8) , and link inspection uses tcpdump(8) . The encrypted interface for IPsec is enc(4) .

Use these patterns to interconnect sites over untrusted networks, to publish internal services across providers securely, or to replace legacy tunnels with modern cryptography.

Design Considerations #

• Selectors and scope. Define traffic by networks (for example, 10.0.0.0/24 ↔ 10.20.0.0/24) rather than any. Keep selectors minimal and symmetric on both peers.
• Authentication. Pre-shared key (PSK) is simplest for site-to-site. Certificates scale better and are preferred where third-party trust or revocation is needed.
• NAT traversal. Permit UDP ports 500 and 4500 and protocol ESP on WAN. IKEv2 NAT-T is automatic when address translation is detected.
• Routing. For routed sites, enable IPv4/IPv6 forwarding and add static routes (or dynamic routing inside the tunnel).
• Performance. Prefer AES-GCM proposals to offload integrity to the cipher. Keep MTU and MSS in mind where encapsulation crosses constrained links.
• Operations. Ensure time sync on all peers (for example, with ntpd(8) ). Log IKE and PF events during rollout.

Configuration #

The examples assume:

• Site A WAN: 198.51.100.10, LAN: 10.0.0.0/24
• Site B WAN: 203.0.113.10, LAN: 10.20.0.0/24

Adjust interface names and addresses to match your environment.

Baseline system settings (both sites) #

# printf '%s\n' \
    'net.inet.ip.forwarding=1' \
    'net.inet6.ip6.forwarding=1' \
    >> /etc/sysctl.conf
  # Enable L3 forwarding for routed traffic through the firewall/router

# sysctl net.inet.ip.forwarding=1 net.inet6.ip6.forwarding=1
  # Apply immediately

PF allowances for IKEv2 and ESP (both sites) #

Permit IKE (UDP 500/4500) and ESP on the WAN, and allow traffic between the protected subnets on the inside. Syntax is defined in pf.conf(5) .

## /etc/pf.conf — minimal allowances for IKEv2/IPsec

set skip on lo

wan     = "em0"           # adjust
lan_net = "{ 10.0.0.0/24, 10.20.0.0/24 }"

block all

# IKE and IPsec on the WAN
pass in on $wan proto udp to ($wan) port { 500, 4500 } keep state
pass in on $wan proto esp keep state
pass out on $wan proto { udp, esp } keep state

# Permit protected subnets after decryption
pass on enc0 from 10.0.0.0/24 to 10.20.0.0/24 keep state
pass on enc0 from 10.20.0.0/24 to 10.0.0.0/24 keep state

Reload and confirm with pfctl(8) .

# pfctl -f /etc/pf.conf
# pfctl -sr | egrep 'udp .* (500|4500)|proto esp|enc0'

Site-to-site IKEv2 with PSK #

Configuration is in iked.conf(5) . One side initiates (active), the other listens (passive). Proposals below use AES-GCM.

Site A (initiator) #

## /etc/iked.conf — Site A

ikev2 "s2s-a2b" active esp from 10.0.0.0/24 to 10.20.0.0/24 \
    peer 203.0.113.10 \
    ikesa enc aes-256-gcm prf sha256 group 14 \
    childsa enc aes-256-gcm \
    psk "change-this-shared-secret"

Site B (responder) #

## /etc/iked.conf — Site B

ikev2 "s2s-b2a" passive esp from 10.20.0.0/24 to 10.0.0.0/24 \
    ikesa enc aes-256-gcm prf sha256 group 14 \
    childsa enc aes-256-gcm \
    psk "change-this-shared-secret"

Enable and start iked(8) on both peers with rcctl(8) ):

# rcctl enable iked
  # Start at boot
# rcctl start iked
  # Launch now (initiator will dial the responder)

If either peer is behind NAT, IKEv2 will encapsulate ESP in UDP 4500 automatically (NAT-T). Ensure the upstream allows those ports.

Minimal WireGuard-style tunnel with wg(4) #

The wg(4) interface provides a compact, static-key tunnel. Keys are Curve25519; generate them per the wg(4) documentation and place the private key on each host (for example, /etc/wg/private.key). Interface attributes are set with ifconfig(8) .

Example: point-to-point /30 between hosts with inside addresses 10.99.0.1/30 (Site A) and 10.99.0.2/30 (Site B), UDP port 51820.

Site A #

# ifconfig wg0 create
  # Create the interface
# ifconfig wg0 inet 10.99.0.1/30
  # Assign inside address
# ifconfig wg0 wgport 51820
  # Listen on UDP/51820
# ifconfig wg0 wgkey `cat /etc/wg/private.key`
  # Load this host's private key
# ifconfig wg0 wgpeer <SITE_B_PUBLIC_KEY> wgendpoint 203.0.113.10 51820
  # Configure peer's public key and endpoint
# ifconfig wg0 wgpeer <SITE_B_PUBLIC_KEY> wgaip 10.99.0.2/32
  # Allowed-IPs for the peer (peer's inside address)
# route add -net 10.20.0.0/24 10.99.0.2
  # Route a remote LAN via the tunnel if needed

Site B #

# ifconfig wg0 create
# ifconfig wg0 inet 10.99.0.2/30
# ifconfig wg0 wgport 51820
# ifconfig wg0 wgkey `cat /etc/wg/private.key`
# ifconfig wg0 wgpeer <SITE_A_PUBLIC_KEY> wgendpoint 198.51.100.10 51820
# ifconfig wg0 wgpeer <SITE_A_PUBLIC_KEY> wgaip 10.99.0.1/32
# route add -net 10.0.0.0/24 10.99.0.1

Permit the WireGuard UDP port on each WAN and allow the inside prefixes on wg0 in PF as appropriate.

Verification #

• IKEv2 state and flows with ikectl(8) :

$ ikectl show sa
  # IKE_SA and CHILD_SA state, SPIs, lifetimes
$ ikectl show flows
  # Traffic selectors currently installed

• Encapsulated traffic on the wire with tcpdump(8) :

# tcpdump -ni em0 port 500 or port 4500 or proto esp
  # IKE_SA negotiation and ESP/NAT-T on the WAN
# tcpdump -ni enc0 host 10.20.0.50
  # Plaintext (post-decrypt) traffic on enc0 for IPsec
# tcpdump -ni em0 udp port 51820
  # WireGuard UDP transport

• Path testing:

$ ping -n -c 3 10.20.0.1
  # From a host behind Site A to a host behind Site B (IKEv2)
$ ping -n -c 3 10.99.0.2
  # Between tunnel endpoints (WireGuard)

• PF and routes:

$ pfctl -vvsr | egrep 'udp .* (500|4500)|proto esp|udp .* 51820'
  # Confirm allowances
$ netstat -rn | egrep '10\.99\.0\.|10\.20\.0\.'
  # Confirm inside/tunnel routes

Troubleshooting #

• No IKE negotiation. Verify UDP 500/4500 reachability and that the responder is in passive mode. Inspect logs in /var/log/daemon for iked.
• Selector mismatch. If one side uses 10.0.0.0/24 ↔ 10.20.0.0/24 and the other uses 10.0.0.0/24 ↔ 10.0.0.0/24, CHILD_SA will not install. Align from/to networks. Check ikectl show flows.
• NAT or path asymmetry. Ensure upstreams carry UDP 4500 unchanged and that return traffic follows the same egress. For IPsec, enc0 rules should allow the protected subnets.
• MTU black holes. If large transfers stall, clamp MSS on the WAN during testing in PF (scrub in max-mss ...) and refine after measuring path MTU.
• Clock skew. Certificates and IKE lifetimes are time-sensitive. Ensure NTP is working with ntpd(8) .
• WireGuard handshake fails. Confirm the correct public keys, matching wgport, reachable wgendpoint, and that each side has the other’s inside /32 as an allowed IP. Use ifconfig wg0 to view current peers and statistics.

See Also #

• Networking
• OpenBGPD
• Related: Classic and Lightweight Tunnels
• Related: Hardening and Operational Safety