HOW TO set up OpenVPN

Want secure networks, use OpenVPN!
There are two ways to setup VPN, one you have a ethernet bridge and the clients and servers have IPs on the same network (ip/netmask). That is the easier way. Here we will go over the slightly more involved method of setting up VPN users in a different network. The OpenVPN server will be the gateway machine between your client on his/her laptop and your internal network at the datacenter. For this to work, the client will encrypt and route all packets destined for the Internal Network to the External IP of the OpenVPN server. The OpenVPN server will decrypt the packets and forward them to the Internal Network. The servers on the Internal Network will all need two changes to work: [1] their firewalls will need to accept packets from the VPN Network and [2] all packets destined for the VPN Network will need to be routed to the OpenVPN Server's Internal IP. Sound hard? It's not too bad once you understand this first section. When your laptop conencts, the OpenVPN Server will give your laptop an additional IP from the VPN Network Pool of IPs. That is how you join the VPN Network.
Configure the OpenVPN Server Install OpenVPN: cd /usr/ports/security/openvpn && make install clean Here is the output of ifconfig for this example bge0: flags=8843 mtu 1500 options=1b inet 61.11.111.6 netmask 0xffffff00 broadcast 61.11.111.255 ether 00:1a:a0:11:11:11 media: Ethernet autoselect (1000baseTX ) status: active bge1: flags=8802 mtu 1500 options=1b inet 10.10.22.7 netmask 0xffffff00 broadcast 61.11.111.255 ether 00:1a:a0:11:11:12 media: Ethernet autoselect (none) status: no carrier lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 bge0 is external and bge1 is on the Internal Network. Pick a port that you are going to want your VPN server to listen on. Let's say 4444. (the default is 1197) Set up your firewall to allow VPN traffic to your new IP... rc.firewall ... ipfw add allow ip from any to any via tun0 // VPN device ipfw add allow tcp from any to any established ipfw add allow tcp from any to me dst-port 4444 setup // VPN access if we use TCP ipfw add allow udp from any to me dst-port 4444 // VPN access if we use UDP ipfw add allow udp from me 4444 to any // VPN access if we use UDP ... Create a /usr/local/etc/openvpn/server.conf # external IP of OpenVPN Server local 61.11.111.6 # pick a non-default port number... port 4444 proto udp # We use TUN when setting separate IPs on a VPN Network dev tun0 # Adjust path as needed. ca /usr/local/etc/openvpn/ca.crt cert /usr/local/etc/openvpn/server.crt key /usr/local/etc/openvpn/server.key # keep secret. dh /usr/local/etc/openvpn/dh1024.pem tls-auth /usr/local/etc/openvpn/ta.key 0 # The Pool of IPs in the 'VPN Network' server 10.44.44.0 255.255.255.0 ifconfig-pool-persist /usr/local/etc/openvpn/ipp.txt # Tell the clinet about the IPs on your Data Center Internal Network # Don't use 192.168.1.0 in your data center as that is the default # network for a lot of home systems and that makes it HARDER to # get VPN working. push "route 10.3.3.0 255.255.255.0" client-to-client keepalive 10 120 comp-lzo persist-key persist-tun # look at this file if the server doesn't launch... status /usr/local/etc/openvpn/openvpn-status.log management localhost 7505 verb 3 mute 20 Generate all the crts, keys, ta files, etc... read the openvpn documentation :) Config /etc/rc.conf so OpenVPN will launch. openvpn_enable="YES" # set to YES to enable openvpn openvpn_if="tun" # driver(s) to load, set to "tun", "tap" or "tun tap" openvpn_configfile="/usr/local/etc/openvpn/server.conf" # --config file gateway_enable="YES" # you need to forward packets between internal and VPN. Start it up! sysctl net.inet.ip.forwarding=1 /usr/local/etc/rc.d/openvpn start if you reboot, you don't need to turn on forwarding if you put gateway_enable in your rc.conf. Once you start the OpenVPN server, your ifconfig will automagically add a new device. tun0: flags=8051 mtu 1500 inet 10.44.44.1 --> 10.44.44.2 netmask 0xffffffff Opened by PID 7866 Set up the servers on your Internal Network You need to add a route.... when you servers get IP traffic from the fake 10.44.44.0/24 network, you need to tell your server to route those packets back through the OpenVPN Servers's Internal Interface (10.10.22.7). I usually set up ipfw, so I roll the route and firewall rules into one like this: # part of /etc/rc.firewall on servers in the Internal Network net_vpn="10.44.44.0/24" vpn_gateway="10.10.22.7" # Allow VPN network ${fwcmd} add pass all from me to ${net_vpn} // VPN network ${fwcmd} add pass all from ${net_vpn} to me // VPN network echo "Adding VPN route for ${net_vpn} to ${vpn_gateway}" /sbin/route add ${net_vpn} ${vpn_gateway} 2> /dev/null > /dev/null Set up Clients ############# # openvpn.conf # mac users: # download tunnelblick: # http://www.tunnelblick.net/ # Note you need to place 4 files in your # /Users/YOURNAME/Library/openvpn/ folder... # Edit out 'rudy' and put in your local user name # in the lines below. # ############# ca /Users/rudy/Library/openvpn/ca.crt cert /Users/rudy/Library/openvpn/RudyKey.crt key /Users/rudy/Library/openvpn/RudyKey.key tls-auth /Users/rudy/Library/openvpn/ta.key 1 ############# remote 61.11.111.6 port 4444 ############# client dev tun proto udp resolv-retry infinite nobind user nobody group nobody persist-key persist-tun comp-lzo verb 3 log openvpn.log That counfig out to work for a variety (Mac, Unix, Windoze) of clients. Want to know how to generate the CRT KEY ta.key and ca.crt files? Read the OpenVPN documentation.