OpenBSD 7.1 + OpenVPN + Easy-RSA

uNdEr cOnStRuCtIoN

# pkg_add openvpn easy-rsa
# mkdir /etc/openvpn
# cp /usr/local/share/easy-rsa /etc/openvpn/easy-rsa
# cd /etc/openvpn/easy-rsa
# cp vars.example vars
# vi vars




What to tune:

At first set EASYRSA to a defined path like

set_var EASYRSA "/etc/openvpn/easy-rsa"

or you will earn some errors. Then edit the EASYRSA_REQ_* section and add your values.

Check the other stuff, tune it if you want.

Theres btw no need to change the openssl-easyrsa.cnf and there’s no need (like in earlier centuries) to source the vars file.

Tune the /etc/pf.conf:

match tag BLOCK
match out tag PASSmatch in on $ext_if proto { udp tcp } from any to $ext_if:0 port { 1194 } tag PASS
match in on $tun_if proto { tcp udp } from $NET_OVPN_0 to any tag PASS
match in on $tun_if proto icmp from $NET_OVPN_0 to any tag PASS
block log all tagged BLOCK
pass tagged PASS

NET_OVPN_0 ist the remote ip range you did define for your clients. (here 10.0.111.0/24)

Additionally you can insert some restrictions.

Create an /etc/openvpn/server.conf:

port 1194
proto udp
dev tun0
ca ca.crt
cert VPNGATE22.crt
key VPNGATE22.key # This file should be kept secret
dh dh.pem
server 10.0.111.0 255.255.255.0
ifconfig-pool-persist /tmp/ipp.txt
push "route 192.168.0.0 255.255.0.0"
push "dhcp-option DNS 192.168.100.2"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn.log
verb 1
management localhost 7505
status /var/log/openvpn.status.log 5
status-version 2
crl-verify /etc/openvpn/crl.pem

Create an /etc/sysctl.conf:

net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets

Create an /etc/rc.local:

/usr/local/sbin/openvpn --cd /etc/openvpn --daemon --script-security 2 --config /etc/openvpn/server.conf && echo "OpenVPN"

Do

# cd /etc/openvpn/easy-rsa
# ./easyrsa init-pki
# ./easyrsa build-ca
# ./easyrsa gen-crl
# ./easyrsa gen-dh
# ./easyrsa build-server-full YOUSERVERID nopass
# ./easyrsa build-client-full YOURCLIENT01

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.