For work we required the use of a VPN for a number of Mac OS X laptops to an OpenBSD 5.6 router. I have a strong preference to use the base tools available on every install of OpenBSD and Mac OS X, so I choose to configure L2TP using npppd(8) over IPSec with pre-shared keys, using isakmpd(8) with an ipsec.conf(5).
Enabling the needed services
Add the following to your
/etc/rc.conf.local file to enable
isakmpd(8), loading of
ipsec.conf(5) and to enable
1 2 3
isakmpd has changed over time from using isakmpd.conf(5) to the much easier understandable
ipsec.conf(5). The contents for a setup with Mac OS X clients are pretty simple for OpenBSD 5.6 and 5.7:
1 2 3
Save it in
/etc/ipsec.conf and be sure to replace
YOUR_IP_ADDRESS with your ip address and
YOUR_SECRET_KEY with a long and safe password.
Starting from OpenBSD 5.8, the defaults will change from using
modp3072, so your configuration file will need to be explicit about some more values in order to allow Mac OS X clients to connect:
1 2 3 4 5
/etc/rc.d/isakmpd start and load the
ipsec.conf(5) settings into it by running
ipsecctl -f /etc/ipsec.conf afterwards. Remember to reload the settings like that every time you restart the daemon, otherwise it will not use them.
Next up: configuring
npppd(8) with static users and passwords.
First make sure the kernel allowes pipex(4) frames to be used by changing the sysctl value
/etc/sysctl.conf to do this on every boot. Now we need to edit
npppd-users(5) and add lines like this:
Replace YOUR_USER_NAME and YOUR_USER_PASSWORD with appropriate values and don’t forget to add that last
: after the password. Save this file in
/etc/npppd/npppd-users and start npppd with
You can customize npppd.conf(5) but the defaults are fine for me: they allow users with static passwords and will hand out ip addresses in the 10.0.0.0/24 range.
Finally we need to reconfigure pf(4) in order to allow forwarding of the needed packets. I used the lines below to allow IPSec connections on $ext_if2 and give them outgoing internet access over the same device.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Note that we specify rules over the
pppx interface group. Every user that connects will create a virtual
pppx interface like
pppx1. It would be impossible to write seperate entries for them all, so we can specify rules for all these interfaces using the interface group.
Configuring the Mac OS X clients
Go to “Network Preferences” and click on the plus button on the left bottom corner.
Choose “VPN”, “L2TP over IPSec” and give it a recognizable name.
Now enter the ip address that you added in
ipsec.conf(5) in the “Server Address” field and the username you added in
npppd-users(5) in the “Account Name” field.
Click “Authentication Settings” and fill in the
npppd-users(5) password in the “Password” field and the psk value of your
ipsec.conf(5) in the “Shared Secrect” field. Press OK to close the “Authentication Settings”.
Finally go to “Advanced” and check “Send all traffic over VPN connection” to avoid having to configure your ip routes on every new connect attempt.
Apply the settings and hit connect!
This should give you two progress bars like in the screen shot above. When any traffic is passed or received they will fill with green. Pretty handy when debugging when something is not working.
Using tools available by default on OpenBSD and the Mac OS X clients we’ve setup a VPN that allows the travelling Mac OS X clients to connect to their office network to share files over Airdrop, print documents for colleagues and browse the internet securely.