OpenVPN
Configure as Server
We store our keys on:
mkdir -p /usr/local/etc/openvpn/keys-server
Create a new PKI:
cd /usr/local/etc/openvpn/keys-server/
easyrsa --pki-dir=/usr/local/etc/openvpn/keys-server/pki init-pki
Create CA and keys with:
easyrsa build-ca
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: fechner.net
Notice
CA creation complete. Your new CA certificate is at:
- /usr/local/etc/openvpn/keys-server/pki/ca.crt
Create DH params with:
easyrsa gen-dh
DH parameters of size 2048 created at:
- /usr/local/etc/openvpn/keys-server/pki/dh.pem
Create server certificate with:
easyrsa build-server-full beta.fechner.net nopass
Notice
Certificate created at:
- /usr/local/etc/openvpn/keys-server/pki/issued/beta.fechner.net.crt
Inline file created:
- /usr/local/etc/openvpn/keys-server/pki/inline/beta.fechner.net.inline
Create you client certificate with:
easyrsa build-client-full idefix.fechner.net nopass
Notice
Certificate created at:
- /usr/local/etc/openvpn/keys-server/pki/issued/idefix.fechner.net.crt
Inline file created:
- /usr/local/etc/openvpn/keys-server/pki/inline/idefix.fechner.net.inline
Verify the certificates with:
openssl verify -CAfile pki/ca.crt pki/issued/beta.fechner.net.crt
openssl verify -CAfile pki/ca.crt pki/issued/idefix.fechner.net.crt
Server config file
dev tun0
ca keys-server/pki/ca.crt
cert keys-server/pki/issued/beta.fechner.net.crt
key keys-server/pki/private/beta.fechner.net.key
dh keys-server/pki/dh.pem
server 192.168.200.0 255.255.255.0
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
tun-mtu 1460
mssfix 1420
proto udp
Configure as client
Create a file /usr/local/etc/openvpn/idefix.ovpn:
client
remote <server>
proto udp
dev tun5
persist-key
persist-tun
tun-mtu 1460
mssfix 1420
resolv-retry infinite
nobind
comp-lzo
verb 1
mute 10
ca keys-fechner/ca.crt
cert keys-fechner/idefix.fechner.net.crt
key keys-fechner/idefix.fechner.net.key
Copy the keyfiles from the server to the client into the directory /usr/local/etc/openvpn/keys-fechner.
keys-server/pki/ca.crt
keys-server/pki/issued/idefix.fechner.net.crt
keys-server/pki/private/idefix.fechner.net.key
Make sure they are protected:
chmod 600 keys-fechner/*
Edit /etc/rc.conf:
openvpn_enable="YES" # YES or NO
openvpn_if="tun" # driver(s) to load, set to "tun", "tap" or "tun tap"
openvpn_flags="" # openvpn command line flags
openvpn_configfile="/usr/local/etc/openvpn/idefix.ovpn" # --config file
openvpn_dir="/usr/local/etc/openvpn" # --cd directory
Start vpn connection now with /usr/local/etc/rc.d/openvpn start.
Check /var/log/messages for error etc.