OpenBSD 5.5, 5.6, or 5.7 and OpenVPN with easyrsa3
When upgrading from 5.6 to 5.7. I had to add the following rules to the bottom of my pf.conf to allow for proper vpn pass through. I do not know why it isn’t being allowed through the match rule out egress, but that is what I encountered. This is for package Openvpn 2.3.6 amd64.
/Begin Original post.
So I recently re-configured VPN(Virtual Private Network) services through a VPS(Virtual Private Server) utilizing the newest version of OpenBSD and OpenVPN 2.3.2 with easyrsa3. I noticed that documentation out there is pretty scattered in terms of setting this up the latest stable version of OpenBSD and wanted to help out some fellow users.
First install OpenVPN, git, and create openvpn directory on the server:
pkg_add -v openvpn pkg_add -v git mkdir /etc/openvpn/
Next you need to clone the easyrsa3 repository from github. You can clone this into your user directory.
git clone https://github.com/OpenVPN/easy-rsa.git
Next copy the easyrsa3 directory to /etc/openvpn/
cp -R /home/user/easyrsa/easyrsa3 /etc/openvpn/
Now we need to setup our certificate authority and generate some certs for our server, and clients.
cd /etc/openvpn/easyrsa3/ ./easyrsa init-pki ./easyrsa build-ca ./easyrsa gen-dh ./easyrsa gen-req ServerName nopass ./easyrsa sign server ServerName ./easyrsa gen-req ClientName nopass ./easyrsa sign client ClientName
Copy Certs where needed client/server. Ensure to copy the ca.crt as both server and clients use this. I usually just keep everything in /etc/openvpn for unix clients, as well as the server.
Server config: /etc/openvpn/server.conf
local ip.of.your.server port 443 proto tcp dev tun0 ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh.pem server 10.69.69.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1" push "dhcp-option DNS 18.104.22.168" push "dhcp-option DNS 22.214.171.124" keepalive 10 120 comp-lzo max-clients 5 user _openvpn group _openvpn persist-key persist-tun status openvpn-status.log log openvpn.log log-append openvpn.log verb 6
I run my VPN on it’s on IPv4 IP address on HTTPS port to ensure I can obtain connectivity from virtually anywhere. Client can be configured to go directly through a proxy server if need be etc.
client dev tun proto tcp remote ip.of.your.server 443 resolv-retry infinite nobind user nobody group nobody persist-key persist-tun ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] ca ca.crt cert client.crt key client.key comp-lzo verb 6
This is just a simple setup. Gives internet access to client machines through the VPN connection. Gives the server access to connected clients through the tun0 network as well. Things like SSH etc.
This is all that is needed for the OpenVPN configuration. The client config will work with both Unix and Windows based clients. Probably OSX as well but never tested.
Finally we must allow this traffic to be forwarded by enabling IPv4 forwarding:
Ensure this is also set to “=1” in /etc/sysctl.conf.
Your pf.conf will need an entry:
match out on egress from 10.69.69.0/24 to any nat-to egress:0
Finally create hostname file for your tun0 interface and start openvpn upon startup of the interface:
touch /etc/hostname.tun0 echo "!/usr/local/sbin/openvpn --daemon --config /etc/openvpn/server.conf" >> /etc/hostname.tun0
touch /etc/hostname.tun0 echo "!/usr/local/sbin/openvpn --daemon --config /etc/openvpn/client.conf" >> /etc/hostname.tun0
Thats it. Once you have these things in place you will have a functional OpenVPN server / client setup on OpenBSD 5.5.