|
Size: 2947
Comment:
|
← Revision 6 as of 2023-04-06 16:30:19 ⇥
Size: 2996
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 2: | Line 2: |
'''`openvpn(8)`''' is an [[Protocols/IP|IP]] tunnel daemon primarily used to create a VPN. |
|
| Line 11: | Line 13: |
| Install the `openvpn` package from your package manager of choice. | Most [[Linux]] and [[BSD]] distributions offer a `openvpn` package. |
| Line 42: | Line 44: |
| Finally, set OpenVPN to run on startup be adding the below to `/etc/rc.conf`: | Finally, set `openvpn(8)` to run on startup be adding the below to `/etc/rc.conf`: |
| Line 54: | Line 56: |
| Create a configuration directory (such as `/etc/openvpn`) if one doesn't already exist. | Create a configuration directory (such as `/etc/openvpn/client`) if one doesn't already exist. |
| Line 71: | Line 73: |
| OpenVPN can be started manually with `openvpn --config /path/to/config/file --daemon`. | Start `openvpn(8)` with `openvpn --config /path/to/config/file --daemon`. |
| Line 73: | Line 75: |
| For `systemd`-capable systems, set OpenVPN to run persistently by [[Systemd|starting and enabling]] `openvpn-client@<config>`. Note that this will only work if... 1. Rename the corresponding config file to have a `.conf` file extension 2. Have installed the config file to `/etc/openvpn/client` |
If the configuration is installed to `etc/openvpn/client/my-client.conf`, for `systemd`-capable systems, [[Linux/Systemd|start and enable]] `openvpn-client@my-client`. |
| Line 123: | Line 122: |
| ---- == See also == [[https://man.archlinux.org/man/openvpn.8|openvpn(8)]] |
OpenVPN
openvpn(8) is an IP tunnel daemon primarily used to create a VPN.
Contents
Installation
Most Linux and BSD distributions offer a openvpn package.
Setup
FreeBSD
As the root user, create a configuration directory.
$ mkdir /usr/local/etc/openvpn
If using a commercial VPN, you will have to obtain from them:
- A configuration file
- A certificate and key pair
- An authentication login
Copy the relevant configuration (likely .conf or .ovpn), certificate (.crt), and key (.pem) files to the configuration directory. Create the authentication file with username and password on separate lines. Then edit the configuration file such that:
auth-user-pass /path/to/your/authentication/file #this suppresses the caching of the password and user name auth-nocache
Finally, set openvpn(8) to run on startup be adding the below to /etc/rc.conf:
openvpn_enable="YES" openvpn_if="tun" openvpn_configfile="/usr/local/etc/openvpn/vpn.conf"
Linux
Create a configuration directory (such as /etc/openvpn/client) if one doesn't already exist.
If using a commercial VPN, you will have to obtain from them:
- A configuration file
- A certificate and key pair
- An authentication login
Copy the relevant configuration (likely .conf or .ovpn), certificate (.crt), and key (.pem) files to the configuration directory. Create the authentication file with username and password on separate lines. Then edit the configuration file such that:
auth-user-pass /path/to/your/authentication/file #this suppresses the caching of the password and user name auth-nocache
Start openvpn(8) with openvpn --config /path/to/config/file --daemon.
If the configuration is installed to etc/openvpn/client/my-client.conf, for systemd-capable systems, start and enable openvpn-client@my-client.
Configuration
Certificate and Key Pair
It is possible to embed the certificate and key pair in the configuration file. The traditional method of passing them as external files looks like:
ca /usr/local/etc/openvpn/ca.crt crl-verify /usr/local/etc/openvpn/crl.pem
The new, embeddeed method looks like:
<crl-verify> -----BEGIN X509 CRL----- .... -----END X509 CRL----- </crl-verify> <ca> -----BEGIN CERTIFICATE----- .... -----END CERTIFICATE----- </ca>
Authentication
For authentication information, it is best practice to store the username and password in an external file only accessible to the root user.
$ cat <<EOF >/usr/local/etc/openvpn/passwd username password EOF $ chmod 600 /usr/local/etc/openvpn/passwd