= OpenVPN =

'''`openvpn(8)`''' is an [[Protocols/IP|IP]] tunnel daemon primarily used to create a VPN.

<<TableOfContents>>

----



== Installation ==

Most [[Linux]] and [[BSD]] distributions offer a `openvpn` package.

----



== Setup ==

=== FreeBSD ===

As the `root` user, create a configuration directory.

{{{
$ mkdir /usr/local/etc/openvpn
}}}

If using a commercial VPN, you will have to obtain from them:

 1. A configuration file
 2. A certificate and key pair
 3. An authentication login

Copy the relevant configuration (likely `.conf` or `.ovpn`), certificate (`.crt`), and key (`.pem`) files to the configuration directory. Create the authentication file with username and password on separate lines. Then edit the configuration file such that:

{{{
auth-user-pass /path/to/your/authentication/file

#this suppresses the caching of the password and user name
auth-nocache
}}}

Finally, set `openvpn(8)` to run on startup be adding the below to `/etc/rc.conf`:

{{{
openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/usr/local/etc/openvpn/vpn.conf"
}}}



=== Linux ===

Create a configuration directory (such as `/etc/openvpn/client`) if one doesn't already exist.

If using a commercial VPN, you will have to obtain from them:

 1. A configuration file
 2. A certificate and key pair
 3. An authentication login

Copy the relevant configuration (likely `.conf` or `.ovpn`), certificate (`.crt`), and key (`.pem`) files to the configuration directory. Create the authentication file with username and password on separate lines. Then edit the configuration file such that:

{{{
auth-user-pass /path/to/your/authentication/file

#this suppresses the caching of the password and user name
auth-nocache
}}}

Start `openvpn(8)` with `openvpn --config /path/to/config/file --daemon`.

If the configuration is installed to `etc/openvpn/client/my-client.conf`, for `systemd`-capable systems, [[Linux/Systemd|start and enable]] `openvpn-client@my-client`.

----



== Configuration ==

=== Certificate and Key Pair ===

It is possible to embed the certificate and key pair in the configuration file. The traditional method of passing them as external files looks like:

{{{
ca /usr/local/etc/openvpn/ca.crt
crl-verify  /usr/local/etc/openvpn/crl.pem
}}}

The new, embeddeed method looks like:

{{{
<crl-verify>
-----BEGIN X509 CRL-----
....
-----END X509 CRL-----
</crl-verify>

<ca>
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
</ca>
}}}



=== Authentication ===

For authentication information, it is best practice to store the username and password in an external file only accessible to the `root` user.

{{{
$ cat <<EOF >/usr/local/etc/openvpn/passwd
username
password
EOF
$ chmod 600 /usr/local/etc/openvpn/passwd
}}}

----



== See also ==

[[https://man.archlinux.org/man/openvpn.8|openvpn(8)]]



----
CategoryRicottone