pavement

OpenVPN

From FreeBSDwiki
Revision as of 23:27, 16 June 2007 by 216.110.12.175 (Talk)
Jump to: navigation, search

OpenVPN is a very useful open source, cross platform Virtual Private Networking tool. It uses SSL encryption (dynamic or 2048-bit static shared key), can use LZO stream compression, and is blindingly fast as well as much more secure compared to typical industry standard IPSEC DES or IPSEC 3DES solutions. Better yet, it's so simple it can be run entirely from the command line.

Installing

To build it on a FreeBSD machine, just:

cd /usr/ports/security/openvpn
make install clean

it's that easy. Actually doing anything with it will require a little more work. There are many MANY ways to do this, but this one's useful, simple, and clean.

First, generate yourself a private key file and chmod it so that only its owner can read it:

ph34r# openvpn --genkey --secret /usr/local/etc/openvpn.key
ph34r# chmod 400 /usr/local/etc/openvpn.key

Starting OpenVPN

Now you'll need a command to start it with. It can be done purely from the command line - and in fact, in one sense, that's exactly what we're going to do - but to make our lives a little easier, we'll actually use command line stuff from a shell script in /usr/local/etc/rc.d. So place this - or something similar - in your /usr/local/etc/rc.d:

#!/bin/sh

case "$1" in
start)
       # VPN subnets are contained in 10.10.x.x / 255.255.0.0
       # port range forwarded through the router is 4900-4982 
 
       # first make sure the TAP module is loaded
       kldload if_tap 

       # now ensure IP forwarding is enabled
       /sbin/sysctl -w net.inet.ip.forwarding=1

       # Now, make sure there are enough tun* / tap* devices in /dev
       cd /dev
       /bin/sh MAKEDEV tap0 tap1 tap2 tap3 tap4 tap5 tap6 tap7 tap8 tap9

       # Finally, open up for business.
       # A tunnel numbered [x] is configured as follows:
       # device tun[x], port (4900   [x]), network 10.10.(10   [x])
       # Client machine is always .2, server is always .1

       # note - ping-restart on server end with disconnected clients
       # seems to be the problem resulting in exhausted mbufs.  Trying
       # ping-restart on client end only and hoping for the best.

       # 0. Server side - dynamic VPN
       /usr/local/sbin/openvpn \
       --dev tap0 --port 4900 --ifconfig 10.10.10.1 255.255.255.252 \
       --tun-mtu 1500 --tun-mtu-extra 32 --mssfix 1450 --key-method 2 \
       --secret /usr/local/etc/openvpn.key --ping 1
Personal tools