OpenVPN

Contents

  1. OpenVPN
    1. Installation
    2. Setup
      1. FreeBSD
      2. Linux
    3. Configuration
      1. Certificate and Key Pair
      2. Authentication

Installation

Install the openvpn package from your package manager of choice.

Setup

FreeBSD

As the root user, create a configuration directory. 

$ mkdir /usr/local/etc/openvpn

If using a commercial VPN, you will have to obtain from them:

  1. A configuration file
  2. A certificate and key pair
  3. An authentication login

Copy the relevant configuration (likely .conf or .ovpn), certificate (.crt), and key (.pem) files to the configuration directory. Create the authentication file with username and password on separate lines. Then edit the configuration file such that: 

auth-user-pass /path/to/your/authentication/file

#this suppresses the caching of the password and user name
auth-nocache

Finally, set OpenVPN to run on startup be adding the below to /etc/rc.conf: 

openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/usr/local/etc/openvpn/vpn.conf"

Linux

Create a configuration directory (such as /etc/openvpn) if one doesn't already exist.

If using a commercial VPN, you will have to obtain from them:

  1. A configuration file
  2. A certificate and key pair
  3. An authentication login

Copy the relevant configuration (likely .conf or .ovpn), certificate (.crt), and key (.pem) files to the configuration directory. Create the authentication file with username and password on separate lines. Then edit the configuration file such that: 

auth-user-pass /path/to/your/authentication/file

#this suppresses the caching of the password and user name
auth-nocache

OpenVPN can be started manually with openvpn --config /path/to/config/file --daemon.

For systemd-capable systems, set OpenVPN to run persistently by starting and enabling openvpn-client@<config>. Note that this will only work if...

  1. Rename the corresponding config file to have a .conf file extension

  2. Have installed the config file to /etc/openvpn/client

Configuration

Certificate and Key Pair

It is possible to embed the certificate and key pair in the configuration file. The traditional method of passing them as external files looks like: 

ca /usr/local/etc/openvpn/ca.crt
crl-verify  /usr/local/etc/openvpn/crl.pem

The new, embeddeed method looks like: 

<crl-verify>
-----BEGIN X509 CRL-----
....
-----END X509 CRL-----
</crl-verify>

<ca>
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
</ca>

Authentication

For authentication information, it is best practice to store the username and password in an external file only accessible to the root user. 

$ cat <<EOF >/usr/local/etc/openvpn/passwd
username
password
EOF
$ chmod 600 /usr/local/etc/openvpn/passwd

CategoryRicottone