As promised, here are some more details about how I configured my OpenVPN server. The machine in question is running a recent build of FreeBSD, with ports installed. If you haven't used FreeBSD, you might want to consider it. It's a very easy to use, stable system (although if you've ever tried to run a serious Java application on it, you'll quickly become frustrated. FreeBSD + threads = headache, IMHO).
Installing OpenVPN on FreeBSD is as simple as this:
admin@max>cd /usr/ports/security/openvpn
admin@max>make install clean
And that's it. After a few minutes, I had a nice, clean installation of OpenVPN. Now to configure it.
In the FreeBSD world, configuration files are stored in /usr/local/etc/openvpn. So, I went there, and followed the instructions found here: http://openvpn.net/howto.html#config (Please note that the docs indicate helpful scripts for setting up keys etc. are in /usr/share/doc/openvpn, but in the BSD world they seem to be in /usr/local/share/doc/openvpn).
The only hiccup I ran into was that the docs give examples using the bash shell, and I tend to stick to tcsh. Not a big deal. I just ran these commands:
admin@max>pkg_add -r bash
admin@max>rehash
admin@max>exec bash
and I was in bash, where things all worked the docs indicated. Simple enough.
Once I had all my certs set up, my final openvpn.conf file looked something like this:
[tcs@max] /usr/local/etc/openvpn> cat openvpn.conf
# Specify device
dev tun
proto udp
# Server and client IP and Pool
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# Certificates for VPN Authentication
ca /usr/local/etc/openvpn/ca.crt
cert /usr/local/etc/openvpn/server.crt
key /usr/local/etc/openvpn/server.key
dh /usr/local/etc/openvpn/dh1024.pem
# Routes to push to the client
push "route 10.10.132.0 255.255.255.0"
# route all traffic through vpn
push "redirect-gateway def1"
# Use compression on the VPN link
comp-lzo
push "dhcp-option DNS 10.10.132.123"
# Make the link more resistent to connection failures
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
# Run OpenVPN as a daemon and drop privileges to user/group nobody user nobody
group nobody
daemon
Finally, since I wanted to use my server as a gateway to my internal LAN, I had to change my pf.conf file (the firewall configuration). The relevant line looks like this:
# nat for vpn
nat on $int_if from $vpn_net to any -> ($int_if)
where $inf_if is the interface device connected to the internal network, and $vpn_net is the subnet I've assigned to the VPN (10.8.0.0/24).
More on this, and on client configuration, when I have a bit more time.
Update: Part three is here.
Thursday, September 28, 2006
OpenVPN Server configuration
