OpenVPN

openvpn(8) is an IP tunnel daemon primarily used to create a VPN.

Contents

  1. OpenVPN
    1. Installation
    2. Setup
      1. FreeBSD
      2. Linux
    3. Configuration
      1. Certificate and Key Pair
      2. Authentication
    4. See also

Installation

Most Linux and BSD distributions offer a openvpn package.

Setup

FreeBSD

As the root user, create a configuration directory. 

$ mkdir /usr/local/etc/openvpn

If using a commercial VPN, you will have to obtain from them:

  1. A configuration file
  2. A certificate and key pair
  3. An authentication login

Copy the relevant configuration (likely .conf or .ovpn), certificate (.crt), and key (.pem) files to the configuration directory. Create the authentication file with username and password on separate lines. Then edit the configuration file such that: 

auth-user-pass /path/to/your/authentication/file

#this suppresses the caching of the password and user name
auth-nocache

Finally, set openvpn(8) to run on startup be adding the below to /etc/rc.conf: 

openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/usr/local/etc/openvpn/vpn.conf"

Linux

Create a configuration directory (such as /etc/openvpn/client) if one doesn't already exist.

If using a commercial VPN, you will have to obtain from them:

  1. A configuration file
  2. A certificate and key pair
  3. An authentication login

Copy the relevant configuration (likely .conf or .ovpn), certificate (.crt), and key (.pem) files to the configuration directory. Create the authentication file with username and password on separate lines. Then edit the configuration file such that: 

auth-user-pass /path/to/your/authentication/file

#this suppresses the caching of the password and user name
auth-nocache

Start openvpn(8) with openvpn --config /path/to/config/file --daemon.

If the configuration is installed to etc/openvpn/client/my-client.conf, for systemd-capable systems, start and enable openvpn-client@my-client.

Configuration

Certificate and Key Pair

It is possible to embed the certificate and key pair in the configuration file. The traditional method of passing them as external files looks like: 

ca /usr/local/etc/openvpn/ca.crt
crl-verify  /usr/local/etc/openvpn/crl.pem

The new, embeddeed method looks like: 

<crl-verify>
-----BEGIN X509 CRL-----
....
-----END X509 CRL-----
</crl-verify>

<ca>
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
</ca>

Authentication

For authentication information, it is best practice to store the username and password in an external file only accessible to the root user. 

$ cat <<EOF >/usr/local/etc/openvpn/passwd
username
password
EOF
$ chmod 600 /usr/local/etc/openvpn/passwd

See also

openvpn(8)

CategoryRicottone

Encryption/OpenVPN (last edited 2023-04-06 16:30:19 by DominicRicottone)