OpenVPN server on NetBSD
575 words, 3 minutes
The following notes will help you install and configure OpenVPN on a NetBSD server. This is how I can connect to my $HOME network from anywhere on the Internet.
Note that the install describes the “bridge” mode. This allows to get an IP address on the same LAN segment than my servers.
Installation - server side
I used a NetBSD 4.99.72/macppc
and openvpn-2.1rc13nb2
.
Copy the OpenVPN server configuration file template for further modification:
# cp -p /usr/pkg/share/examples/openvpn/config/server.conf /usr/pkg/etc/openvpn/
Generate the server’s certificate:
# cd /etc/openssl
# CN="tumfatig.net"
# openssl genrsa -out private/$CN.key 1024
# openssl req -new -key private/$CN.key -out crl/$CN.req
# openssl ca -in crl/$CN.req -out certs/$CN.pem
# cd /usr/pkg/etc/openvpn
# openssl dhparam -out dh1024.pem 1024
Generate the client’s certificate:
# cd /etc/openssl
# CN="jdoe"
# openssl req -days 3650 -nodes -new -newkey rsa:1024 -keyout private/$CN.key -out crl/$CN.csr
# openssl ca -days 3650 -out certs/$CN.crt -in crl/$CN.csr -md sha1
Configure the network interfaces:
# cat /etc/ifconfig.bridge0
!ifconfig tap0 create up
create
!brconfig $int add gem0 add tap0 up
up
Activate TCP forwarding:
# sysctl -w net.inet.ip.forwarding=1
# cat /etc/sysctl.conf
net.inet.ip.forwarding=1
Configure OpenVPN:
# egrep -v "^#|^;|^$" /usr/pkg/etc/openvpn/server.conf
local 10.15.5.50
port-share 10.15.5.50 8443
port 443
proto tcp
dev tap0
ca /etc/openssl/certs/ca.pem
cert /etc/openssl/certs/tumfatig.net.pem
key /etc/openssl/private/tumfatig.net.key
dh dh1024.pem
ifconfig-pool-persist /tmp/ipp.txt
server-bridge 10.15.5.50 255.255.255.0 10.15.5.200 10.15.5.229
push "route 10.15.5.0 255.255.255.0"
push "redirect-gateway"
push "dhcp-option DNS 10.0.0.50"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /tmp/openvpn-status.log
verb 3
Configure the daemon to start at server’s boot (add openvpn=YES
to /etc/rc.conf
and /usr/pkg/share/examples/rc.d/openvpn start
to /etc/rc.local
).
Check the daemon’s log to ensure it started OK:
OpenVPN 2.1_rc13 powerpc-netbsd \[SSL\] \[LZO2\] built on Mar 5 2009
...
Initialization Sequence Completed
Installation - client side
MS Windows client
Grab and install OpenVPN GUI .
Copy ca.pem
, user.crt
and user.key
to C:Program FilesOpenVPNconfig
.
Copy C:Program FilesOpenVPNsample-configclient.ovpn
to C:Program FilesOpenVPNconfig
.
Edit the file to access the OpenVPN gateway:
--- client.ovpn.orig 2006-04-05 09:13:26.000000000 +0200
+++ client.ovpn 2007-05-07 10:42:09.000000000 +0200
@@ -34,11 +34,11 @@
# UDP server? Use the same setting as
# on the server.
-;proto tcp
-proto udp
+proto tcp
+;proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
-remote my-server-1 1194
+remote tumfatig.net 83
;remote my-server-2 1194
@@ -86,7 +86,7 @@
# for each client. A single ca
# file can be used for all clients.
-ca ca.crt
-cert client.crt
-key client.key
+ca ca.pem
+cert jdoe.crt
+key jdoe.key
Mac OS X client
Grab and install Tunnelblick .
Copy ca.pem
, user.crt
and user.key
to Library/openvpn/
.
Edit the configuration file to access the OpenVPN gateway:
--- openvpn.conf.orig 2008-11-21 04:51:23.000000000 +0100
+++ openvpn.conf 2009-06-16 10:23:05.000000000 +0200
@@ -21,6 +21,6 @@
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
-;dev tap
-dev tun
+dev tap
+;dev tun
# Windows needs the TAP-Win32 adapter name
@@ -34,11 +34,11 @@
# UDP server? Use the same setting as
# on the server.
-;proto tcp
-proto udp
+proto tcp
+;proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
-remote my-server-1 1194
+remote www.tumfatig.net 443
;remote my-server-2 1194
@@ -86,7 +86,7 @@
# for each client. A single ca
# file can be used for all clients.
-ca ca.crt
-cert client.crt
-key client.key
+ca ca.pem
+cert jdoe.crt
+key jdoe.key
# Verify server certificate by checking
Source
OpenVPN 2.0 on OpenBSD: http://blog.innerewut.de/2005/7/4/openvpn-2-0-on-openbsd