ctx->guides->openvpn
Configuring an OpenVPN proxy on OpenBSD
First of all install the needed tools:
$ pkg_add openvpn openvpn_bsdauth
Now create a minimal PKI (Public Key Infrastructure),
comprised by a CA (Certificate Authority) and the server
certificate. You can also create client certificates but we will
use password-based authentication for the clients here.
The easiest way to do this is to use the easy-rsa
scripts.
You can find it in /usr/local/share/examples/openvpn/easy-rsa/1.0/
.
Simply copy the whole directory in your home in order to work on it.
You should edit the vars
file to match your site and do the following:
$ . vars
$ ./build-ca
$ ./build-key-server server
$ ./build-dh
All generated keys are put in the keys/
subdirectory.
The configuration files below reference them, so use them as needed.
Put the following in your /etc/openvpn/server.conf
:
# net
dev tun0
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway def1"
# system
daemon
user _openvpn
status /var/log/openvpn
verb 3
# keys
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
# auth
client-cert-not-required
username-as-common-name
script-security 3 system
auth-user-pass-verify /usr/local/libexec/openvpn_bsdauth via-env
# misc
duplicate-cn
persist-key
persist-tun
keepalive 10 120
Add this line to your /et/pf.conf
to perform NAT,
where em0
is your external interface:
pass out on em0 from 10.8.0.0/24 to any nat-to (em0)
Enable IP packet forwarding in /etc/sysctl.conf
or:
$ sysctl net.inet.ip.forwarding=1
Add all users that need to authenticate to the _openvpnusers
group
by altering /etc/group
:
_openvpnusers:*:596:lostd,dsp
Finally, to automate the service starting create the /etc/hostname.tun0
file to contain the following:
up
!/usr/local/sbin/openvpn /etc/openvpn/server.conf
A sample client OpenVPN script that uses the service is
shown below, where ca.crt
is the CA certificate:
client
dev tun0
remote catway
ca ca.crt
auth-user-pass
The server has the hostname catway
, which should by convention
exist at the /etc/hosts
file.
Cheers!
lostd@