OpenBSD 5.5, 5.6, or 5.7 and OpenVPN with easyrsa3

When upgrading from 5.6 to 5.7. I had to add the following rules to the bottom of my pf.conf to allow for proper vpn pass through. I do not know why it isn’t being allowed through the match rule out egress, but that is what I encountered. This is for package Openvpn 2.3.6 amd64.

/Begin Original post.
So I recently re-configured VPN(Virtual Private Network) services through a VPS(Virtual Private Server) utilizing the newest version of OpenBSD and OpenVPN 2.3.2 with easyrsa3. I noticed that documentation out there is pretty scattered in terms of setting this up the latest stable version of OpenBSD and wanted to help out some fellow users.
First install OpenVPN, git, and create openvpn directory on the server:

pkg_add -v openvpn
pkg_add -v git
mkdir /etc/openvpn/

Next you need to clone the easyrsa3 repository from github. You can clone this into your user directory.

git clone

Next copy the easyrsa3 directory to /etc/openvpn/

cp -R /home/user/easyrsa/easyrsa3 /etc/openvpn/

Now we need to setup our certificate authority and generate some certs for our server, and clients.

cd /etc/openvpn/easyrsa3/
./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-dh
./easyrsa gen-req ServerName nopass
./easyrsa sign server ServerName
./easyrsa gen-req ClientName nopass
./easyrsa sign client ClientName

Copy Certs where needed client/server. Ensure to copy the ca.crt as both server and clients use this. I usually just keep everything in /etc/openvpn for unix clients, as well as the server.
Server config: /etc/openvpn/server.conf

local ip.of.your.server
port 443
proto tcp
dev tun0
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh.pem
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS"
push "dhcp-option DNS"
keepalive 10 120
max-clients 5
user _openvpn
group _openvpn
status openvpn-status.log
log         openvpn.log
log-append  openvpn.log
verb 6

I run my VPN on it’s on IPv4 IP address on HTTPS port to ensure I can obtain connectivity from virtually anywhere. Client can be configured to go directly through a proxy server if need be etc.
Client Config:

dev tun
proto tcp
remote ip.of.your.server 443
resolv-retry infinite
user nobody
group nobody
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
ca ca.crt
cert client.crt
key client.key
verb 6

This is just a simple setup. Gives internet access to client machines through the VPN connection. Gives the server access to connected clients through the tun0 network as well. Things like SSH etc.

This is all that is needed for the OpenVPN configuration. The client config will work with both Unix and Windows based clients. Probably OSX as well but never tested.

Finally we must allow this traffic to be forwarded by enabling IPv4 forwarding:

sysctl net.inet.ip.forwarding=1

Ensure this is also set to “=1” in /etc/sysctl.conf.

Your pf.conf will need an entry:

match out on egress from to any nat-to egress:0

Finally create hostname file for your tun0 interface and start openvpn upon startup of the interface:

touch /etc/hostname.tun0 echo "!/usr/local/sbin/openvpn --daemon --config /etc/openvpn/server.conf" >> /etc/hostname.tun0


touch /etc/hostname.tun0 echo "!/usr/local/sbin/openvpn --daemon --config /etc/openvpn/client.conf" >> /etc/hostname.tun0

Thats it. Once you have these things in place you will have a functional OpenVPN server / client setup on OpenBSD 5.5.