Encrypt your LAN with IPsec (OpenBSD)

Note: Your feedback is welcome. Please leave a comment at the bottom.


IPsec is often used for Virtual Private Networks (VPN) but can also be used between computers on a local network. IPsec provides encryption and authentication and prevents replay attacks

Some protocols are useful, but don't have great security, like NFS, NIS, and SNMP. You can run them securely if your LAN is secured with IPsec

OpenBSD supports IPsec natively as well as Internet Key Exchange (IKE) protocol version 1. OpenIKED supports IKEv2, but doesn't support transport mode, meaning it can only be used for VPNs, so we'll use IKEv1 here

Here's how to configure two computers to use IPsec to talk between them. We'll use public keys (without X.509 certificates, for simplicity)

Host ipsecone (10.0.2.4)

# cat << EOF > /etc/ipsec.conf
ike active esp transport from 10.0.2.4 to 10.0.2.5 \
  main auth hmac-sha1 enc aes \
  quick auth hmac-sha2-256 enc aes 
EOF
# chmod 640 /etc/ipsec.conf

# cd /etc/isakmpd/pubkeys/ipv4
# scp notRoot@10.0.2.5:/etc/isakmpd/local.pub 10.0.2.5 `# copy remote's public key`

# rcctl enable ipsec
# rcctl enable isakmpd
# rcctl set isakmpd flags "-KTv" `#K = use ipsec.conf for configuration, T = disable NAT traversal, v = verbose logging`

# ipsecctl -vf /etc/ipsec.conf  `# start ipsec, or reboot`
# rcctl start isakmpd

Host ipsectwo (10.0.2.5)

# cat << EOF > /etc/ipsec.conf
ike active esp transport from 10.0.2.5 to 10.0.2.4 \
  main auth hmac-sha1 enc aes \
  quick auth hmac-sha2-256 enc aes 
EOF
# chmod 640 /etc/ipsec.conf

# cd /etc/isakmpd/pubkeys/ipv4
# scp notRoot@10.0.2.4:/etc/isakmpd/local.pub 10.0.2.4 `# copy remote's public key`

# rcctl enable ipsec
# rcctl enable isakmpd
# rcctl set isakmpd flags "-KTv" `#K = use ipsec.conf for configuration, T = disable NAT traversal, v = verbose logging`

# ipsecctl -vf /etc/ipsec.conf  `# start ipsec, or reboot`
# rcctl start isakmpd

Testing

On ipsecone, run # tcpdump host 10.0.2.5

On ipsectwo, run # ping 10.0.2.4

On ipsecone, you should see "esp" and "spi" in your tcpdump output

Logging

You can see IPsec / IKE log output at /var/log/daemon

Monitor a remote computer securely using SNMP (OpenBSD)

The Simple Network Management Protocol (SNMP) lets you query a computer for system monitoring info, like uptime and hard drive capacity

OpenBSD has an SNMP server built in (snmpd), as well as an SNMP client (snmpctl)

OpenBSD includes SNMP info ("mibs") for CARP, relayd, and pf as well as the standard ones

The OpenBSD client is limited to version 2 of SNMP, so we'll use net-snmp, which supports version 3 and therefore authentication and encryption. There's a package for that.

Server (10.0.2.35)

# cat /etc/snmpd.conf

listen on 10.0.2.35
seclevel enc
user "snmp" authkey "s3cr3t00" enckey "s3cr3t00" enc aes auth hmac-sha1

# chown root:_snmpd /etc/snmpd.conf `# root is owner, _snmpd is group`
# chmod u=w,g=r,o= /etc/snmpd.conf `# root write, _snmpd read, other nothing`
# rcctl enable snmpd
# rcctl start snmpd

Need to check your config?

# snmpd -n

Need to debug snmpd?

# snmpd -dvv

Client

# pkg_add net-snmp
# cat /etc/snmp/snmp.conf

defSecurityName snmp
defSecurityLevel authPriv
defPassphrase "s3cr3t00"
defAuthType SHA
defPrivType AES

# chown root:wheel `# root is owner, wheel is group`
# chmod u=w,g=r,o= /etc/snmp/snmp.conf `# root write, wheel read, other nothing`
# snmpwalk 10.0.2.35 | less `# shows much info from remote system`

Forward syslogs to a central server using TLS (OpenBSD)

Syslogd runs by default on OpenBSD and is used to collect log messages on a host

You can see (some of) the logs using

$ tail /var/log/messages

And you can add a message using

$ logger 'hello'

Say you have dozens or hundreds of servers. You don't want to login to each one and look at each log. Instead, it makes sense to forward them to a central server. It's also safer, as it makes it more difficult for a hacker to hide his tracks.

We don't want to send potentially sensitive logs in plain text, so we'll use TLS

Server (10.0.2.35 aka 'loghost')

# cd /etc/ssl/private
# openssl genrsa -out loghost.key 2048 `# generate 2048-bit RSA key`
# openssl req -x509 -new -key loghost.key -out ../loghost.crt -days 365 `# generate cert. set common name to loghost`
# echo '10.0.2.35 loghost' >> /etc/hosts
# rcctl set syslogd flags "-S loghost" `# -S means use TLS`
# rcctl restart syslogd
# tail -f /var/log/messages `# watch for syslog messages`

Client (10.0.2.36 aka 'logclient')

Add to /etc/syslog.conf:

*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none  @tls://loghost
auth,daemon,syslog,user.info;authpriv.kern.debug  @tls://loghost

# echo '10.0.2.35 loghost' >> /etc/hosts
# scp nonRootSSHUser@loghost:/etc/ssl/loghost.crt /etc/ssl/trusted.crt `# copy the cert from server`
# rcctl set syslogd flags "-h -C /etc/ssl/trusted.crt" `# use hostnames instead of IPs and set the TLS trust store`
# rcctl restart syslogd
# logger hello from logclient `# you should see this on loghost`

If you need to debug syslogd, run /usr/sbin/syslogd -d