OpenVPN
OpenVPN is an absolutely invaluable open source, cross platform Virtual Private Networking tool. It uses SSL encryption (dynamic or 2048-bit static shared key), can use LZO stream compression, and is blindingly fast as well as vastly more secure compared to typical industry standard IPSEC + DES or IPSEC + 3DES solutions. Better yet, it's so simple it can be run entirely from the command line.
Installing
To build it on a BSD machine, just:
cd /usr/ports/security/openvpn make install clean
it's that easy. Actually doing anything with it will require a little more work. There are many MANY ways to do this, but this one's useful, simple, and clean.
First, generate yourself a private key file and chmod it so that only its owner can read it:
ph34r# openvpn --genkey --secret-file=/usr/local/etc/openvpn.key ph34r# chmod /usr/local/etc/openvpn.key 400
Note under FreeBSD5.4 with openvpn version 2.0.6
ph34r# openvpn --genkey --secret /usr/local/etc/openvpn.key
Starting OpenVPN
Now you'll need a command to start it with. It can be done purely from the command line - and in fact, in one sense, that's exactly what we're going to do - but to make our lives a little easier, we'll actually use command line stuff from a shell script in /usr/local/etc/rc.d. So place this - or something similar - in your /usr/local/etc/rc.d:
#!/bin/sh case "$1" in start) # VPN subnets are contained in 10.10.x.x / 255.255.0.0 # port range forwarded through the router is 4900-4982 # first make sure the TAP module is loaded kldload if_tap # now ensure IP forwarding is enabled /sbin/sysctl -w net.inet.ip.forwarding=1 # Now, make sure there are enough tun* / tap* devices in /dev cd /dev /bin/sh MAKEDEV tap0 tap1 tap2 tap3 tap4 tap5 tap6 tap7 tap8 tap9 # Finally, open up for business. # A tunnel numbered [x] is configured as follows: # device tun[x], port (4900 + [x]), network 10.10.(10 + [x]) # Client machine is always .2, server is always .1 # note - ping-restart on server end with disconnected clients # seems to be the problem resulting in exhausted mbufs. Trying # ping-restart on client end only and hoping for the best. # 0. Server side - dynamic VPN /usr/local/sbin/openvpn \ --dev tap0 --port 4900 --ifconfig 10.10.10.1 255.255.255.252 \ --tun-mtu 1500 --tun-mtu-extra 32 --mssfix 1450 --key-method 2 \ --secret /usr/local/etc/openvpn.key --ping 1 & # # 1a. Client side - persistent VPN # /usr/local/sbin/openvpn \ # --dev tap1 \ # --remote ip_or_hostname.to.connect.to \ # --secret /usr/local/etc/openvpn.key \ # --key-method 2 \ # --port 4901 \ # --ifconfig 10.10.11.2 255.255.255.252 \ # --route 192.168.1.0 255.255.255.0 10.10.11.1 \ # --tun-mtu 1500 --tun-mtu-extra 32 \ # --fragment 1300 --mssfix \ # --persist-tun --persist-key --resolv-retry 86400 \ # --ping 10 --ping-restart 15 \ # --verb 4 --mute 10 & # 1b. Server side - persistent VPN /usr/local/sbin/openvpn \ --dev tap1 \ --secret /usr/local/etc/openvpn.key \ --key-method 2 \ --port 4901 \ --ifconfig 10.10.11.1 255.255.255.252 \ --route 192.168.1.0 255.255.255.0 10.10.11.2 \ --tun-mtu 1500 --tun-mtu-extra 32 \ --fragment 1300 --mssfix \ --persist-tun --persist-key --resolv-retry 86400 \ --ping 10 --ping-restart 15 \ --verb 4 --mute 10 & # end section ;; stop) killall openvpn ;; *) echo "Usage: `basename $0` {start|stop}" >&2 ;; esac exit 0
Don't forget to chmod 755 /usr/local/etc/rc.d/openvpn.sh to make sure you can execute it.
What you've got there is a setup (which can be started up or stopped like any other rc.d script - /usr/local/etc/rc.d/openvpn.sh start or stop) which provides for two tunnels - one coming from a Windows machine, probably a laptop or something (labeled "dynamic VPN"; more on that in a minute) and one (labeled "persistent VPN") from another BSD or other *nix machine.
All we'll do on the other *nix box is copy over the openvpn.key we created on this machine, copy over this same script, comment out the:
- # 1b. Server side - persistent VPN section
- uncomment the # 1a. Client side - persistent VPN side
- and fire it up.
Once the scripts have been started on both machines (obviously you'll need a routeable IP address for at least the machine on the "server" side), presto, you've got a tunnel!
Obviously this article is unfinished, but work beckons. More later.