OpenVPN server on NetBSD

  2009-11-26      575 words, 3 minutes

• netbsd
• openvpn
• osx
• vpn
• windows

The following notes will help you install and configure OpenVPN on a NetBSD server. This is how I can connect to my $HOME network from anywhere on the Internet.

Note that the install describes the “bridge” mode. This allows to get an IP address on the same LAN segment than my servers.

Installation - server side

I used a NetBSD 4.99.72/macppc and openvpn-2.1rc13nb2.

Copy the OpenVPN server configuration file template for further modification:

# cp -p /usr/pkg/share/examples/openvpn/config/server.conf /usr/pkg/etc/openvpn/

Generate the server’s certificate:

# cd /etc/openssl
# CN="tumfatig.net"
# openssl genrsa -out private/$CN.key 1024
# openssl req -new -key private/$CN.key -out crl/$CN.req
# openssl ca -in crl/$CN.req -out certs/$CN.pem

# cd /usr/pkg/etc/openvpn
# openssl dhparam -out dh1024.pem 1024

Generate the client’s certificate:

# cd /etc/openssl
# CN="jdoe"
# openssl req -days 3650 -nodes -new -newkey rsa:1024 -keyout private/$CN.key -out crl/$CN.csr
# openssl ca -days 3650 -out certs/$CN.crt -in crl/$CN.csr -md sha1

Configure the network interfaces:

# cat /etc/ifconfig.bridge0
!ifconfig tap0 create up
create
!brconfig $int add gem0 add tap0 up
up

Activate TCP forwarding:

# sysctl -w net.inet.ip.forwarding=1  
# cat /etc/sysctl.conf  
net.inet.ip.forwarding=1

Configure OpenVPN:

# egrep -v "^#|^;|^$" /usr/pkg/etc/openvpn/server.conf
local 10.15.5.50
port-share 10.15.5.50 8443
port 443
proto tcp
dev tap0
ca /etc/openssl/certs/ca.pem
cert /etc/openssl/certs/tumfatig.net.pem
key /etc/openssl/private/tumfatig.net.key
dh dh1024.pem
ifconfig-pool-persist /tmp/ipp.txt
server-bridge 10.15.5.50 255.255.255.0 10.15.5.200 10.15.5.229
push "route 10.15.5.0 255.255.255.0"
push "redirect-gateway"
push "dhcp-option DNS 10.0.0.50"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /tmp/openvpn-status.log
verb 3

Configure the daemon to start at server’s boot (add openvpn=YES to /etc/rc.conf and /usr/pkg/share/examples/rc.d/openvpn start to /etc/rc.local).

Check the daemon’s log to ensure it started OK:

OpenVPN 2.1_rc13 powerpc-netbsd \[SSL\] \[LZO2\] built on Mar 5 2009  
...  
Initialization Sequence Completed

Installation - client side

MS Windows client

Grab and install OpenVPN GUI .

Copy ca.pem, user.crt and user.key to C:Program FilesOpenVPNconfig.

Copy C:Program FilesOpenVPNsample-configclient.ovpn to C:Program FilesOpenVPNconfig.

Edit the file to access the OpenVPN gateway:

--- client.ovpn.orig	2006-04-05 09:13:26.000000000 +0200
+++ client.ovpn	2007-05-07 10:42:09.000000000 +0200
@@ -34,11 +34,11 @@
 # UDP server?  Use the same setting as
 # on the server.
-;proto tcp
-proto udp
+proto tcp
+;proto udp

 # The hostname/IP and port of the server.
 # You can have multiple remote entries
 # to load balance between the servers.
-remote my-server-1 1194
+remote tumfatig.net 83
 ;remote my-server-2 1194

@@ -86,7 +86,7 @@
 # for each client.  A single ca
 # file can be used for all clients.
-ca ca.crt
-cert client.crt
-key client.key
+ca ca.pem
+cert jdoe.crt
+key jdoe.key

Mac OS X client

Grab and install Tunnelblick .

Copy ca.pem, user.crt and user.key to Library/openvpn/.

Edit the configuration file to access the OpenVPN gateway:

--- openvpn.conf.orig	2008-11-21 04:51:23.000000000 +0100
+++ openvpn.conf	2009-06-16 10:23:05.000000000 +0200
@@ -21,6 +21,6 @@
 # unless you partially or fully disable
 # the firewall for the TUN/TAP interface.
-;dev tap
-dev tun
+dev tap
+;dev tun

 # Windows needs the TAP-Win32 adapter name
@@ -34,11 +34,11 @@
 # UDP server?  Use the same setting as
 # on the server.
-;proto tcp
-proto udp
+proto tcp
+;proto udp

 # The hostname/IP and port of the server.
 # You can have multiple remote entries
 # to load balance between the servers.
-remote my-server-1 1194
+remote www.tumfatig.net 443
 ;remote my-server-2 1194

@@ -86,7 +86,7 @@
 # for each client.  A single ca
 # file can be used for all clients.
-ca ca.crt
-cert client.crt
-key client.key
+ca ca.pem
+cert jdoe.crt
+key jdoe.key

 # Verify server certificate by checking

Source

OpenVPN 2.0 on OpenBSD: http://blog.innerewut.de/2005/7/4/openvpn-2-0-on-openbsd