[Note: This post is a work in progress.]
pkg_add -r openvpn
rehash
mkdir -p /usr/local/etc/openvpn
cd /usr/local/etc/openvpn
touch openvpn.conf
cp -R /usr/local/share/doc/openvpn/easy-rsa .
cd easy-rsa/2.0/
[Edit the vars file to reflect your details. This will save you the trouble of having to type your organisation's details every time you generate a certificate. You may also need to change your shell to sh to execute the scripts. I also had to do a chmod +x * in that directory.]
./clean-all
./vars
./build-ca
[Generate Server Key named server1]
./build-key-server server1
[Generate Keys for clients]
./build-key hpserver
./build-key acerlaptop
[Generate Diffie-Hellman keys]
./build-dh
#The following keys have been copied from /usr/local/etc/openvpn/easy-rsa/2.0/keys
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/server.crt
key /usr/local/etc/openvpn/keys/server.key
dh /usr/local/etc/openvpn/keys/dh1024.pem
Now, edit openvpn.conf (on the server-end) as follows. Substitute IP addresses as required.
[OpenVPN Server Config]
#Configuration of OpenVPN Server
port 1194
proto tcp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
server 10.0.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd #Client specific settings, e.g. Fixed IP Addresses
client-to-client #Allow clients to communicate with each other
push "route 192.168.0.0 255.255.0.0"
keepalive 60 120
comp-lzo
persist-key
persist-tun
status open-status.log
verb 3
Copy the generated client keys to /etc/openvpn/. You will need to copy, for example, acerlaptop.crt, acerlaptop.key and ca.crt and mentioned them in openvpn.conf on the client as follows.
[OpenVPN Client Config]
#Configuration of OpenVPN Client
client
dev tun
proto tcp
remote openvpn.dyndns.org 1194 #public ip address and port of vpn server
nobind
persist-key
persist-tun
#client certificates
ca ca.crt
cert acerlaptop.crt
key acerlaptop.key
ns-cert-type server
comp-lzo
verb 3
[Auto-start openvpn]
Add the following in /etc/rc.conf on the server.
openvpn_enable="YES"
If not already present, also add the following knob in /etc/rc.conf to allow the server to route between your LAN and VPN subnets.
gateway_enable="YES"
Note: Some documentation propose adding if_tun_load="YES" to /boot/loader.conf. I found that is not necessary. Openvpn will start the required device drivers automatically. You can try adding it, if openvpn fails to start or dynamically start it at a prompt by issuing kldload if_tun.
---
The OpenVPN documentation provides more in depth explanation. It can be viewed at : http://openvpn.net/index.php/open-source/documentation/howto.html.
No comments:
Post a Comment