Home

The net/openvpn port

openvpn-2.6.12 – easy-to-use, robust, and highly configurable VPN (cvsweb github mirror)

Description

OpenVPN is an easy-to-use, robust, highly configurable, cross-platform
VPN (Virtual Private Network) daemon which can be used to securely link
two or more private networks using an encrypted tunnel over the internet.

It can forward a tun(4) interface over a single UDP or TCP port with
support for NAT, dynamic endpoints, compression, fragmentation and keep-
alive. It uses OpenSSL's encryption, authentication, and certification
features, with static keys, certificates or TLS-based key exchange.

Flavors:
	mbedtls     - use mbedTLS instead of LibreSSL
WWW: https://openvpn.net/index.php/open-source/

Readme

+-----------------------------------------------------------------------
| Running ${PKGSTEM} on OpenBSD
+-----------------------------------------------------------------------

Compatibility with older OpenVPN releases
-----------------------------------------
OpenVPN 2.6 has compression disabled by default and may need
'--allow-compression asym' to work against a server which has
compression enabled.

Using the openvpn rc script
---------------------------

# rcctl enable openvpn
# rcctl set openvpn flags '--config /etc/openvpn/server.conf'

To handle multiple openvpn instances see EXAMPLES in rcctl(8).

Using an /etc/hostname.* file without persist-tun
-------------------------------------------------
OpenVPN normally re-creates the tun/tap interface at startup.
This has been reported to cause problems with some PF configurations
(especially with queueing), if you run into problems with this then
OpenVPN should be started from the hostname.* file, e.g.:

# cat << EOF > /etc/hostname.tun0
up
!LD_LIBRARY_PATH=${LOCALBASE}/lib:/usr/lib ${TRUEPREFIX}/sbin/openvpn \
    --daemon --config ${SYSCONFDIR}/openvpn/server.conf
EOF

(Or use hostname.tap0 for a layer-2 connection).

Using an /etc/hostname.* file with persist-tun
----------------------------------------------
When the persist-tun option is used, the tun(4) or tap(4) interface can
be configured before OpenVPN is started, just like any other interface.

The example below configures a point-to-point link between two sites
accross an OpenVPN tunnel. Site-1 has tunnel end point 10.1.1.1 and
local network 192.168.0.0/24. Site-2 has tunnel end point 10.1.1.2
and local network 192.168.1.1/24. The sites connect their local
networks via the tunnel.

Site-1:
# cat << EOF > /etc/hostname.tun0
inet 10.1.1.1 255.255.255.255 NONE
dest 10.1.1.2
!/sbin/route add -host 10.1.1.1 127.0.0.1
!/sbin/route add -net 192.168.1.1/24 10.1.1.2
EOF

Site-2:
# cat << EOF > /etc/hostname.tun0
inet 10.1.1.2 255.255.255.255 NONE
dest 10.1.1.1
!/sbin/route add -host 10.1.1.2 127.0.0.1
!/sbin/route add -net 192.168.0.0/24 10.1.1.1
EOF

In this case, there is no need to configure an IP address on the tun
interface from the OpenVPN configuration file. The tun interface will
become active when OpenVPN starts using it.

A suitable OpenVPN configuration file for site-1 might look as follows:

  daemon
  dev tun0
  persist-tun
  proto udp
  local site-1.example.com
  remote site-2.example.com
  secret /etc/openvpn/secret.key
  ping 10
  ping-restart 60

Running OpenVPN in chroot
-------------------------
OpenVPN can run as an unprivileged user inside chroot when the
persist-tun, persist-key, and persist-local-ip options are used.
Note that persist-local-ip requires that OpenVPN is listening on an
interface with a static IP address. To chroot OpenVPN, use the following
as part of your configuration file:

  persist-tun
  persist-key
  persist-local-ip
  user _openvpn
  group _openvpn
  chroot /var/empty

Maintainer

Jeremie Courreges-Anglas

Categories

net security

Library dependencies

Build dependencies

Test dependencies

Files

Search