91 lines
2.9 KiB
Text
91 lines
2.9 KiB
Text
|
+-----------------------------------------------------------------------
|
||
|
|
| Running ${PKGSTEM} on OpenBSD
|
||
|
|
+-----------------------------------------------------------------------
|
||
|
|
|
||
|
|
Compatibility with older OpenVPN releases
|
||
|
|
-----------------------------------------
|
||
|
|
OpenVPN 2.6 has compression disabled by default and may need
|
||
|
|
'--allow-compression asym' to work against a server which has
|
||
|
|
compression enabled.
|
||
|
|
|
||
|
|
Using the openvpn rc script
|
||
|
|
---------------------------
|
||
|
|
|
||
|
|
# rcctl enable openvpn
|
||
|
|
# rcctl set openvpn flags '--config /etc/openvpn/server.conf'
|
||
|
|
|
||
|
|
To handle multiple openvpn instances see EXAMPLES in rcctl(8).
|
||
|
|
|
||
|
|
Using an /etc/hostname.* file without persist-tun
|
||
|
|
-------------------------------------------------
|
||
|
|
OpenVPN normally re-creates the tun/tap interface at startup.
|
||
|
|
This has been reported to cause problems with some PF configurations
|
||
|
|
(especially with queueing), if you run into problems with this then
|
||
|
|
OpenVPN should be started from the hostname.* file, e.g.:
|
||
|
|
|
||
|
|
# cat << EOF > /etc/hostname.tun0
|
||
|
|
up
|
||
|
|
!LD_LIBRARY_PATH=${LOCALBASE}/lib:/usr/lib ${TRUEPREFIX}/sbin/openvpn \
|
||
|
|
--daemon --config ${SYSCONFDIR}/openvpn/server.conf
|
||
|
|
EOF
|
||
|
|
|
||
|
|
(Or use hostname.tap0 for a layer-2 connection).
|
||
|
|
|
||
|
|
Using an /etc/hostname.* file with persist-tun
|
||
|
|
----------------------------------------------
|
||
|
|
When the persist-tun option is used, the tun(4) or tap(4) interface can
|
||
|
|
be configured before OpenVPN is started, just like any other interface.
|
||
|
|
|
||
|
|
The example below configures a point-to-point link between two sites
|
||
|
|
accross an OpenVPN tunnel. Site-1 has tunnel end point 10.1.1.1 and
|
||
|
|
local network 192.168.0.0/24. Site-2 has tunnel end point 10.1.1.2
|
||
|
|
and local network 192.168.1.1/24. The sites connect their local
|
||
|
|
networks via the tunnel.
|
||
|
|
|
||
|
|
Site-1:
|
||
|
|
# cat << EOF > /etc/hostname.tun0
|
||
|
|
inet 10.1.1.1 255.255.255.255 NONE
|
||
|
|
dest 10.1.1.2
|
||
|
|
!/sbin/route add -host 10.1.1.1 127.0.0.1
|
||
|
|
!/sbin/route add -net 192.168.1.1/24 10.1.1.2
|
||
|
|
EOF
|
||
|
|
|
||
|
|
Site-2:
|
||
|
|
# cat << EOF > /etc/hostname.tun0
|
||
|
|
inet 10.1.1.2 255.255.255.255 NONE
|
||
|
|
dest 10.1.1.1
|
||
|
|
!/sbin/route add -host 10.1.1.2 127.0.0.1
|
||
|
|
!/sbin/route add -net 192.168.0.0/24 10.1.1.1
|
||
|
|
EOF
|
||
|
|
|
||
|
|
In this case, there is no need to configure an IP address on the tun
|
||
|
|
interface from the OpenVPN configuration file. The tun interface will
|
||
|
|
become active when OpenVPN starts using it.
|
||
|
|
|
||
|
|
A suitable OpenVPN configuration file for site-1 might look as follows:
|
||
|
|
|
||
|
|
daemon
|
||
|
|
dev tun0
|
||
|
|
persist-tun
|
||
|
|
proto udp
|
||
|
|
local site-1.example.com
|
||
|
|
remote site-2.example.com
|
||
|
|
secret /etc/openvpn/secret.key
|
||
|
|
ping 10
|
||
|
|
ping-restart 60
|
||
|
|
|
||
|
|
Running OpenVPN in chroot
|
||
|
|
-------------------------
|
||
|
|
OpenVPN can run as an unprivileged user inside chroot when the
|
||
|
|
persist-tun, persist-key, and persist-local-ip options are used.
|
||
|
|
Note that persist-local-ip requires that OpenVPN is listening on an
|
||
|
|
interface with a static IP address. To chroot OpenVPN, use the following
|
||
|
|
as part of your configuration file:
|
||
|
|
|
||
|
|
persist-tun
|
||
|
|
persist-key
|
||
|
|
persist-local-ip
|
||
|
|
user _openvpn
|
||
|
|
group _openvpn
|
||
|
|
chroot /var/empty
|