#+TITLE: Creating a VPN Gateway with OpenBSD 6.7
#+DATE: 2020-07-11T13:48:25-04:00
#+DRAFT: true
#+DESCRIPTION:
#+TAGS[]: openbsd openvpn
#+KEYWORDS[]: openbsd openvpn
#+SLUG:
#+SUMMARY:

Say you have an account with a VPN provider. Maybe there are a limit
to how many connections you can have with one account, and you want to
put more machines than you have connections on the account. Or maybe
you want to put a large number of machines of the connection,
including maybe FreeBSD Jails, LXC containers, or VMs, and you don't
want to download the VPN profiles, sign in and configure them all
individually.

The solution I came up with to this problem is to setup a VPN gateway
on my network using [[https://www.openbsd.org/faq/pf/][OpenBSD]]. Any device that sets that machine as it's
gateway will automatically get its traffic tunneled through the VPN
connection. It's also setup such that if the VPN connection ever drops
or gets killed for any reason, the traffic will stop and won't be able
to reach the internet. Thanks to this I don't have to worry about the
traffic ever leaking out through my residential gateway should OpenVPN
decide to close the connection. Sort of like a "kill switch", as some
companies market it.

The process for this is actually simple enough, thanks to OpenBSD's
firewall, PF.

To replicate my setup you'll need a dedicated machine running
OpenBSD. You'll have to choose an appropriate host, taking into
consideration how much traffic you plan to put through it, the speed
of you VPN connection, and the speed of your home internet
connection. Anything from a virtual machine or a low power single
board PC will do in most cases, as home internet connections generally
aren't the fastest. If your internet connection is fast enough though,
you may consider [[https://blog.lambda.cx/posts/installing-openbsd-on-pcengines/][installing OpenBSD]] on a [[https://blog.lambda.cx/posts/pcengines-comparison/][PC Engines APU2]], as they're
affordable, have gigabit Ethernet, and great OpenBSD driver support.

I highly recommend you check out the man pages for the firewall
configuration file format [[https://man.openbsd.org/man5/pf.conf.5][=pf.conf(5)=]], and the pf control command
[[https://man.openbsd.org/man8/pfctl.8][=pfctl(8)=]] if you plan on setting something like this up. They're all
very well written and explain a lot of what I'm doing in very clear
detail. You should also read the excellent [[https://www.openbsd.org/faq/pf/][PF FAQ]] from the OpenBSD
website, which covers many more PF configuration examples.

The first thing we'll have to do is install OpenBSD. In my case I
created a virtual machine on a server in my house running [[https://www.proxmox.com/en/][Proxmox]]. In
my case, the machine only has 1 vCPU and 512 MB RAM, which is more
than enough in my case, but you should choose the best machine for
your situation.

I won't be covering installing OpenBSD here, although it's extremely
simple and straight forward. You can pick up the disk =.iso= image or
USB =.fs= image from the [[https://www.openbsd.org/faq/faq4.html#Download][download]] page on OpenBSD website. If this is
your first time installing OpenBSD, you should check out the
[[https://www.openbsd.org/faq/faq4.html#Download][installation guide]], which goes over the process in greater detail.

In this post the machine will have a single network interface called
=vio0= with a desired static IP of =192.168.0.11=, although the
interface and IP in your case will be different.

The most important thing is to set a static IP, so it can be set as
the gateway for client machines. We'll set this first.