mkdir -p /usr/local/etc/openvpn cd /usr/local/etc/openvpn touch openvpn.conf
cp -R /usr/local/share/doc/openvpn/easy-rsa .
[Edit the vars file to reflect your details. This will save you the trouble of having to type your organisation's details every time you generate a certificate. You may also need to change your shell to sh to execute the scripts. I also had to do a chmod +x * in that directory.]
./clean-all ./vars ./build-ca
[Generate Server Key named server1]
[Generate Keys for clients]
[Generate Diffie-Hellman keys]
#The following keys have been copied from /usr/local/etc/openvpn/easy-rsa/2.0/keys
ca /usr/local/etc/openvpn/keys/ca.crt cert /usr/local/etc/openvpn/keys/server.crt key /usr/local/etc/openvpn/keys/server.key dh /usr/local/etc/openvpn/keys/dh1024.pem
Now, edit openvpn.conf (on the server-end) as follows. Substitute IP addresses as required.
[OpenVPN Server Config] #Configuration of OpenVPN Server
port 1194 proto tcp dev tun
server 10.0.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt
client-config-dir ccd #Client specific settings, e.g. Fixed IP Addresses client-to-client #Allow clients to communicate with each other
push "route 192.168.0.0 255.255.0.0"
keepalive 60 120
comp-lzo persist-key persist-tun
status open-status.log verb 3
Copy the generated client keys to /etc/openvpn/. You will need to copy, for example, acerlaptop.crt, acerlaptop.key and ca.crt and mentioned them in openvpn.conf on the client as follows.
[OpenVPN Client Config] #Configuration of OpenVPN Client
client dev tun proto tcp
remote openvpn.dyndns.org 1194 #public ip address and port of vpn server
nobind persist-key persist-tun
#client certificates ca ca.crt cert acerlaptop.crt key acerlaptop.key ns-cert-type server comp-lzo verb 3
Add the following in /etc/rc.conf on the server.
If not already present, also add the following knob in /etc/rc.conf to allow the server to route between your LAN and VPN subnets. gateway_enable="YES"
Note: Some documentation propose adding if_tun_load="YES" to /boot/loader.conf. I found that is not necessary. Openvpn will start the required device drivers automatically. You can try adding it, if openvpn fails to start or dynamically start it at a prompt by issuing kldload if_tun.
The OpenVPN documentation provides more in depth explanation. It can be viewed at : http://openvpn.net/index.php/open-source/documentation/howto.html.