ctx->guides->openvpn

Configuring an OpenVPN proxy on OpenBSD

First of all install the needed tools:

$ pkg_add openvpn openvpn_bsdauth

Now create a minimal PKI (Public Key Infrastructure), comprised by a CA (Certificate Authority) and the server certificate. You can also create client certificates but we will use password-based authentication for the clients here. The easiest way to do this is to use the easy-rsa scripts. You can find it in /usr/local/share/examples/openvpn/easy-rsa/1.0/. Simply copy the whole directory in your home in order to work on it. You should edit the vars file to match your site and do the following:

$ . vars
$ ./build-ca
$ ./build-key-server server
$ ./build-dh

All generated keys are put in the keys/ subdirectory. The configuration files below reference them, so use them as needed. Put the following in your /etc/openvpn/server.conf:

# net
dev tun0
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway def1"

# system
daemon
user _openvpn
status /var/log/openvpn
verb 3

# keys
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem

# auth
client-cert-not-required
username-as-common-name
script-security 3 system
auth-user-pass-verify /usr/local/libexec/openvpn_bsdauth via-env

# misc
duplicate-cn
persist-key
persist-tun
keepalive 10 120

Add this line to your /et/pf.conf to perform NAT, where em0 is your external interface:

pass out on em0 from 10.8.0.0/24 to any nat-to (em0)

Enable IP packet forwarding in /etc/sysctl.conf or:

$ sysctl net.inet.ip.forwarding=1

Add all users that need to authenticate to the _openvpnusers group by altering /etc/group:

_openvpnusers:*:596:lostd,dsp

Finally, to automate the service starting create the /etc/hostname.tun0 file to contain the following:

up
!/usr/local/sbin/openvpn /etc/openvpn/server.conf

A sample client OpenVPN script that uses the service is shown below, where ca.crt is the CA certificate:

client
dev tun0
remote catway
ca ca.crt
auth-user-pass

The server has the hostname catway, which should by convention exist at the /etc/hosts file.

Cheers!

lostd@