Thursday, September 28, 2006

OpenVPN Server configuration

As promised, here are some more details about how I configured my OpenVPN server. The machine in question is running a recent build of FreeBSD, with ports installed. If you haven't used FreeBSD, you might want to consider it. It's a very easy to use, stable system (although if you've ever tried to run a serious Java application on it, you'll quickly become frustrated. FreeBSD + threads = headache, IMHO).

Installing OpenVPN on FreeBSD is as simple as this:

admin@max>cd /usr/ports/security/openvpn
admin@max>make install clean

And that's it. After a few minutes, I had a nice, clean installation of OpenVPN. Now to configure it.

In the FreeBSD world, configuration files are stored in /usr/local/etc/openvpn. So, I went there, and followed the instructions found here: (Please note that the docs indicate helpful scripts for setting up keys etc. are in /usr/share/doc/openvpn, but in the BSD world they seem to be in /usr/local/share/doc/openvpn).

The only hiccup I ran into was that the docs give examples using the bash shell, and I tend to stick to tcsh. Not a big deal. I just ran these commands:

admin@max>pkg_add -r bash
admin@max>exec bash

and I was in bash, where things all worked the docs indicated. Simple enough.

Once I had all my certs set up, my final openvpn.conf file looked something like this:

[tcs@max] /usr/local/etc/openvpn> cat openvpn.conf
# Specify device
dev tun
proto udp

# Server and client IP and Pool
ifconfig-pool-persist ipp.txt

# Certificates for VPN Authentication
ca /usr/local/etc/openvpn/ca.crt
cert /usr/local/etc/openvpn/server.crt
key /usr/local/etc/openvpn/server.key
dh /usr/local/etc/openvpn/dh1024.pem

# Routes to push to the client
push "route"

# route all traffic through vpn
push "redirect-gateway def1"

# Use compression on the VPN link

push "dhcp-option DNS"

# Make the link more resistent to connection failures
keepalive 10 60

# Run OpenVPN as a daemon and drop privileges to user/group nobody user nobody
group nobody

Finally, since I wanted to use my server as a gateway to my internal LAN, I had to change my pf.conf file (the firewall configuration). The relevant line looks like this:

# nat for vpn
nat on $int_if from $vpn_net to any -> ($int_if)

where $inf_if is the interface device connected to the internal network, and $vpn_net is the subnet I've assigned to the VPN (

More on this, and on client configuration, when I have a bit more time.

Update: Part three is here.