OpenVPN

From securityrouter.org, an OpenBSD-based firewall
Jump to: navigation, search

OpenVPN is an open source SSL VPN software. Because it implements a custom security protocol (currently developed by a company called OpenVPN Technologies, Inc.) instead of a widely implemented standard, we have chosen not to include it in our suite of officially supported subsystems. However, installing and running OpenVPN on your security router is pretty straight forward using root access, however, this is not officially supported.

Begin by installing Perl.

To have OpenVPN installed automatically, add the following to your /cfg/skel/rc.local

mount -uw /
pkg_add -D repair openvpn easy-rsa
mount -ur /
ln -s /cfg/skel/openvpn /etc/openvpn
cd /etc/openvpn/ && openvpn --daemon --config server.conf

To install it, along with the required certificates, run

pkg_add -D repair openvpn easy-rsa
cp -r /usr/local/share/easy-rsa easy
cd easy/  
. ./vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
KEY_NAME=client1 ./pkitool client1
mkdir /cfg/skel/openvpn
ln -s /cfg/skel/openvpn/ /etc/openvpn
cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /etc/openvpn/server.conf
cp keys/ca.crt /etc/openvpn/ca.crt
cp keys/dh1024.pem /etc/openvpn/
cp keys/server.crt /etc/openvpn/
mkdir /etc/openvpn/private
cp keys/server.key /etc/openvpn/

and try starting it with

cd /etc/openvpn && openvpn --config server.conf

Client configuration

OpenVPN requires a client software to be installed, which is available for Linux, Windows, Mac, iPhone, Android and a few more. To create a configuration file that works with iPhone, copy the text below into a file called whatever.ovpn

client
dev tun
proto udp
remote SERVERADDRESS 1194
nobind
ns-cert-type server
comp-lzo
<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
</key>

and populate it (replace ...) with the contents of keys/ca.crt, the keys/client1.crt and keys/client1.key which were generated in the server installation above.