divzeroweb

2f30.org website
git clone git://git.2f30.org/divzeroweb
Log | Files | Refs | README | LICENSE

openvpn.md (2341B)


      1 ### Configuring an OpenVPN proxy on OpenBSD
      2 
      3 First of all install the needed tools:
      4 
      5     $ pkg_add openvpn openvpn_bsdauth
      6 
      7 Now create a minimal PKI (Public Key Infrastructure),
      8 comprised by a CA (Certificate Authority) and the server
      9 certificate.  You can also create client certificates but we will
     10 use password-based authentication for the clients here.
     11 The easiest way to do this is to use the `easy-rsa` scripts.
     12 You can find it in `/usr/local/share/examples/openvpn/easy-rsa/1.0/`.
     13 Simply copy the whole directory in your home in order to work on it.
     14 You should edit the `vars` file to match your site and do the following:
     15 
     16     $ . vars
     17     $ ./build-ca
     18     $ ./build-key-server server
     19     $ ./build-dh
     20 
     21 All generated keys are put in the `keys/` subdirectory.
     22 The configuration files below reference them, so use them as needed.
     23 Put the following in your `/etc/openvpn/server.conf`:
     24 
     25     # net
     26     dev tun0
     27     server 10.8.0.0 255.255.255.0
     28     push "dhcp-option DNS 8.8.8.8"
     29     push "redirect-gateway def1"
     30     
     31     # system
     32     daemon
     33     user _openvpn
     34     status /var/log/openvpn
     35     verb 3
     36     
     37     # keys
     38     ca /etc/openvpn/ca.crt
     39     cert /etc/openvpn/server.crt
     40     key /etc/openvpn/server.key
     41     dh /etc/openvpn/dh1024.pem
     42     
     43     # auth
     44     client-cert-not-required
     45     username-as-common-name
     46     script-security 3 system
     47     auth-user-pass-verify /usr/local/libexec/openvpn_bsdauth via-env
     48     
     49     # misc
     50     duplicate-cn
     51     persist-key
     52     persist-tun
     53     keepalive 10 120
     54 
     55 Add this line to your `/et/pf.conf` to perform NAT,
     56 where `em0` is your external interface:
     57 
     58     pass out on em0 from 10.8.0.0/24 to any nat-to (em0)
     59 
     60 Enable IP packet forwarding in `/etc/sysctl.conf` or:
     61 
     62     $ sysctl net.inet.ip.forwarding=1
     63 
     64 Add all users that need to authenticate to the `_openvpnusers` group
     65 by altering `/etc/group`:
     66 
     67     _openvpnusers:*:596:lostd,dsp
     68 
     69 Finally, to automate the service starting create the `/etc/hostname.tun0`
     70 file to contain the following:
     71 
     72     up
     73     !/usr/local/sbin/openvpn /etc/openvpn/server.conf
     74 
     75 A sample client OpenVPN script that uses the service is
     76 shown below, where `ca.crt` is the CA certificate:
     77 
     78     client
     79     dev tun0
     80     remote catway
     81     ca ca.crt
     82     auth-user-pass
     83 
     84 The server has the hostname `catway`, which should by convention
     85 exist at the `/etc/hosts` file.
     86 
     87 Cheers!
     88 
     89 lostd@