How To Setup OpenVPN Server in OpenBSD
Introduction:
OpenVPN Access Server is a full featured SSL VPN software solution that accommodates a wide range of configurations, including secure and granular remote access to your internal network and/ or your private cloud network resources and applications with fine-grained access control. OpenVPN Access Server features include:
- A simple, Web-based Admin UI for configuration and management.
- An easy-to-use, GUI-based OpenVPN Client software package for Windows.
- A Client Web Server that automatically generates a client configuration file and can be used by various open source OpenVPN Client software for Windows, AC, Linux, and other OS platforms, enabling interoperability with open source OpenVPN Client software.
- Integration with existing authentication systems using RADIUS, LDAP, and PAM
OpenVPN Access Server gives you the broad support and robust security of the OpenVPN open-source software project, coupled with the configuration and management tools needed to deploy the VPN solution easily and quickly.
Purpose:
To let a specific user to access some files that is in the local area outside the premises
Installation
SERVER SIDE:
Operating System: OpenBSD 4.x
Create the following directories, files and give permissions.
#mkdir -p /etc/openvpn/keys
#mkdir -p /var/log/openvpn
#touch /etc/hostname.tun0
#echo “up” > /etc/hostname.tun0
#chmod 640 /etc/hostname.tun0
#sh /etc/netstart
#touch /var/log/openvpn/openvpn.log
#touch /var/log/openvpn/ipp.txt
#touch /var/log/openvpn/server-tcp.log
#chown root:nobody /var/log/openvpn/
#chmod 655 /var/log/openvpn/
#mkdir -p /etc/openvpn/easy-rsa/1.0/keys
Generate server certificate
#cp -R /usr/local/share/examples/openvpn/easy-rsa ~
#cd ~/easy-rsa/1.0
#vi vars
Edit and save contents in vars
export KEY_COUNTRY=”<country>”
export KEY_PROVINCE=”<province>”export KEY_CITY=”<city>”
export KEY_ORG=”<organization>”
export KEY_EMAIL=”<admin email>””
Build certificate
# ./vars
#./clean-all
#./build-ca
Build client certificate
#./build-key client01
#./build-dh
Copy certificates to the following locations
#cp keys/ca.crt /etc/openvpn/keys/
#cp keys/dh1024.pem /etc/openvpn/keys/
#cp keys/server.crt /etc/openvpn/keys/
#cp keys/server.key /etc/openvpn/keys/
#chmod 600 /etc/openvpn/keys/server.key
CLIENT SIDE:
Operating System: Windows XP or Higher
Download and install the Installer at http://openvpn.net/index.php/open-source/downloads.html
Configuration:
SERVER SIDE:
Create the OpenVPN server configuration file.
# vi /etc/openvpn/server.conf
port 1194
proto udp
dev tun0ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pemserver 10.10.0.0 255.255.255.0
client-config-dir ccdpush “dhcp-option DNS “
push “dhcp-option DNS “
push “dhcp-option DISABLE-NBT”
push “dhcp-option DOMAIN “
push “route 192.168.0.0 255.255.255.0”
push “redirect-gateway def1”keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/server-tcp.log
ifconfig-pool-persist /var/log/openvpn/ipp.txt
log-append /var/log/openvpn/openvpn.log
verb 4client-to-client
duplicate-cnuser nobody
group nobody
Enable routing in /etc/sysctl.conf:
net.inet.ip.forwarding=1
Start OpenVPN every time the system boot. Add this to /etc/rc.local
if [ -x /usr/local/sbin/openvpn ]; then
echo -n ‘ openvpn’ /usr/local/sbin/openvpn –daemon –config /etc/openvpn/server.conf >/dev/null 2>&1
fi
Append to your firewall rule
if_ext=”dc0″
if_tunnel=”tun0″
table table scrub innat on $if_ext from to any -> $if_ext
pass in quick on $if_ext proto udp from any to $if_ext port 1194
pass in quick on $if_ext from
pass in quick on $if_tunnel from to any
block in log all
CLIENT SIDE:
You may use winscp from your client to copy the following certificates. You may download OpenVPN client from OpenVPN website.
ca.crt
client01.crt
client01.key
Create a file with a .ovpn file extension. For example vpn-server.ovpn with the following content.
client
proto udp
dev tun
#remote <vpn.domain.com> <– if defined in DNS
remote <public ip><port>
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client01.crt
key client01.key
comp-lzo
verb 3
–float
Online Reference 