############
#Disclaimer
############
This tutorial is the way that i got openvpn to work on openbsd i am not saying that this method will definitly work for you so keep that in mind when going through this tutorial.
First lets install openvpn from the ports tree in openbsd which is pretty simple by doing the following:
1. cd /usr/ports/net/openvpn
2. make && make install
3. cd /usr/local/share/examples/openvpn/easy-rsa/1.0
(Don’t bother with the 2.0 directory, I spent a good 3days hacking around with the scripts and config files there only to find they just don’t work. A big thank you goes to BasketCase on #openvpn of Freenode for pointing in the right direction at this point.
4. vi vars and set the last 6 exports to your liking
KEY_SIZE
KEY_COUNTRY
KEY_PROVINCE
KEY_CITY
KEY_ORG
KEY_EMAIL
The default KEY_SIZE is okay, but if you’re paranoid you can set it to 2048.
5. source the vars file
. ./vars
6. ./clean-all
7. Build Certificate Authority cert if your self-signing (aka not using Thawte, VeriSign etc.)
./build-ca
8. Build your Diffie/Hellman PEM file
./build-dh
9. Build your Server key. Pay attention here, this is your server/endpoint key pair.
./build-key-server
10. mkdir -p /etc/openvpn/private
11. cd /etc/openvpn/private
12. cp /usr/local/share/examples/openvpn/easy-rsa/1.0/keys/* .
13. mv *.crt ../
14. openvpn –genkey –secret ta.key
15. cd ../ && chmod -R 700 *
16. cp /usr/local/share/examples/openvpn/sample-config-files/server.conf .
17. vi server.conf to your liking.
change dev tun to dev tun0
provide explicit paths for ca, cert, key and dh
change server to an approprate subnet and mask for your vpn clients
Enable tls-auth
uncomment user and group. Dropping privileges should be done without a second thought.
18. Test it all out.
openvpn –config server.conf
19. Add the following to /etc/rc.local
if [ -x /usr/local/sbin/openvpn ]; then
echo -n ‘ openvpn ‘
/usr/local/sbin/openvpn –config /etc/openvpn/server.conf > /dev/null 2>&1
fi
That gets the server up and running.
I hope you find this tutorial helpful. and if you run into trouble after reading this guide remember google first :)
No comments:
Post a Comment