OpenVPN

Configure as Server

We store our keys on:

mkdir -p /usr/local/etc/openvpn/keys-server

Create a new PKI:

cd /usr/local/etc/openvpn/keys-server/
easyrsa --pki-dir=/usr/local/etc/openvpn/keys-server/pki init-pki

Create CA and keys with:

easyrsa build-ca

Common Name (eg: your user, host, or server name) [Easy-RSA CA]: fechner.net

Notice

CA creation complete. Your new CA certificate is at:

  • /usr/local/etc/openvpn/keys-server/pki/ca.crt

Create DH params with:

easyrsa gen-dh

DH parameters of size 2048 created at:

  • /usr/local/etc/openvpn/keys-server/pki/dh.pem

Create server certificate with:

easyrsa build-server-full beta.fechner.net nopass

Notice

Certificate created at:

  • /usr/local/etc/openvpn/keys-server/pki/issued/beta.fechner.net.crt

Inline file created:

  • /usr/local/etc/openvpn/keys-server/pki/inline/beta.fechner.net.inline

Create you client certificate with:

easyrsa build-client-full idefix.fechner.net nopass

Notice

Certificate created at:

  • /usr/local/etc/openvpn/keys-server/pki/issued/idefix.fechner.net.crt

Inline file created:

  • /usr/local/etc/openvpn/keys-server/pki/inline/idefix.fechner.net.inline

Verify the certificates with:

openssl verify -CAfile pki/ca.crt pki/issued/beta.fechner.net.crt
openssl verify -CAfile pki/ca.crt pki/issued/idefix.fechner.net.crt

Server config file

dev tun0
ca keys-server/pki/ca.crt
cert keys-server/pki/issued/beta.fechner.net.crt
key keys-server/pki/private/beta.fechner.net.key
dh keys-server/pki/dh.pem

server 192.168.200.0 255.255.255.0

comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
tun-mtu 1460
mssfix 1420
proto udp

Configure as client

Create a file /usr/local/etc/openvpn/idefix.ovpn:

client
remote <server>
proto udp
dev tun5
persist-key
persist-tun
tun-mtu 1460
mssfix 1420
resolv-retry infinite
nobind
comp-lzo
verb 1
mute 10

ca keys-fechner/ca.crt
cert keys-fechner/idefix.fechner.net.crt
key keys-fechner/idefix.fechner.net.key

Copy the keyfiles from the server to the client into the directory /usr/local/etc/openvpn/keys-fechner.

keys-server/pki/ca.crt
keys-server/pki/issued/idefix.fechner.net.crt
keys-server/pki/private/idefix.fechner.net.key

Make sure they are protected:

chmod 600 keys-fechner/*

Edit /etc/rc.conf:

openvpn_enable="YES"  # YES or NO
openvpn_if="tun"      # driver(s) to load, set to "tun", "tap" or "tun tap"
openvpn_flags=""      # openvpn command line flags
openvpn_configfile="/usr/local/etc/openvpn/idefix.ovpn"      # --config file
openvpn_dir="/usr/local/etc/openvpn"                          # --cd directory

Start vpn connection now with /usr/local/etc/rc.d/openvpn start.

Check /var/log/messages for error etc.