Configuring Openvpn on Openbsd4.8

I'm in the process of setting up my virtual test network starting with my openbsd firewall running openvpn. This is a quick tutorial on how to setup and configure openvpn on openbsd 4.8 (or any other version of openbsd). Im not going to get into the details of how to install and configure openbsd. The openbsd crew has great documentation on how to install and configure the OS at http://openbsd.org/. Ok now that is out of the way lets get started on installing and configuring openvpn shall we.

############
#Disclaimer
############

This tutorial is the way that i got openvpn to work on openbsd i am not saying that this method will definitly work for you so keep that in mind when going through this tutorial.

First lets install openvpn from the ports tree in openbsd which is pretty simple by doing the following:

1. cd /usr/ports/net/openvpn

2. make && make install

3. cd /usr/local/share/examples/openvpn/easy-rsa/1.0

(Don’t bother with the 2.0 directory, I spent a good 3days hacking around with the scripts and config files there only to find they just don’t work. A big thank you goes to BasketCase on #openvpn of Freenode for pointing in the right direction at this point.

4. vi vars and set the last 6 exports to your liking

KEY_SIZE
KEY_COUNTRY
KEY_PROVINCE
KEY_CITY
KEY_ORG
KEY_EMAIL

The default KEY_SIZE is okay, but if you’re paranoid you can set it to 2048.

5. source the vars file

. ./vars

6. ./clean-all

7. Build Certificate Authority cert if your self-signing (aka not using Thawte, VeriSign etc.)

./build-ca

8. Build your Diffie/Hellman PEM file

./build-dh

9. Build your Server key. Pay attention here, this is your server/endpoint key pair.

./build-key-server

10. mkdir -p /etc/openvpn/private

11. cd /etc/openvpn/private

12. cp /usr/local/share/examples/openvpn/easy-rsa/1.0/keys/* .

13. mv *.crt ../

14. openvpn –genkey –secret ta.key

15. cd ../ && chmod -R 700 *

16. cp /usr/local/share/examples/openvpn/sample-config-files/server.conf .

17. vi server.conf to your liking.

change dev tun to dev tun0

provide explicit paths for ca, cert, key and dh

change server to an approprate subnet and mask for your vpn clients

Enable tls-auth

uncomment user and group. Dropping privileges should be done without a second thought.

18. Test it all out.

openvpn –config server.conf


19. Add the following to /etc/rc.local

if [ -x /usr/local/sbin/openvpn ]; then

echo -n ‘ openvpn ‘

/usr/local/sbin/openvpn –config /etc/openvpn/server.conf > /dev/null 2>&1

fi

That gets the server up and running.


I hope you find this tutorial helpful. and if you run into trouble after reading this guide remember google first :)