[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] pracitcal example using OpenBSD?


  • Subject: Re: [Openvpn-users] pracitcal example using OpenBSD?
  • From: James Holmes <jdh@xxxxxxxx>
  • Date: Mon, 20 Dec 2004 16:23:26 -0600

Matt Singerman wrote:

Hello all,

I have set up OpenVPN on an OpenBSD 3.2 machine, and I believe I have it configured properly - the loopback tests work for both the client and server. When I set it to run, it appears to be starting okay, but I cannot connect to it.

I am fairly sure that the problem is somewhere in my firewall configuration, and I can't seem to find any examples of how to configure pf correctly using openvpn. Can anyone point me to some examples? Thanks.

--Matt

I've attached my sanitized and somewhat simplified configs. I run the server on my OpenBSD 3.6-current machine and use the easy-rsa package included with OpenVPN to generate the keys and crl.


--
James Holmes
Programmer/SysAdmin
RTDS Technologies Inc.
--
http://www.rtds.com


client
dev tun
proto udp
remote your.server.name
pkcs12 client.p12
tls-auth ta.key 1
comp-lzo
verb 4
mssfix 1400
fragment 1400


# tun-style tunnel on port 1194 (or port 5000 prior to beta17)

dev tun0

# Server mode

server 10.1.0.0 255.255.255.0

# TLS parms
#
# Note: The crl file should be kept in /var/openvpn or wherever the chroot directory
#       is. The certs and keys should not be kept in /var/openvpn or it's subdirectories.
#       persist-key will keep an in memory copy of server.crt, server.key, dh1024.pem and
#       ta.key.

ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
tls-auth keys/ta.key 0
crl-verify /crl

# keepalive expands to "ping 10, ping-restart 120, push "ping 10", push "ping-restart 60"
# when in server mode. I don't use ping or ping-restart in the client configs.

keepalive 10 60
ping-timer-rem
persist-tun
persist-key
resolv-retry 86400
#client-to-client

# Push these parameters to the client once the connection is established.

push "route-delay 5 30"
push "route 10.1.0.1 255.255.255.255"
push "route 192.168.150.0 255.255.255.0"
push "persist-tun"
push "persist-key"
push "dhcp-option DOMAIN your.domain.name"
push "dhcp-option DNS 192.168.150.1"
push "dhcp-option DNS 192.168.150.2"
push "dhcp-option WINS 192.168.150.2"
push "dhcp-option NBT 2"

# Set up the local routing table to allow VPN packets to be forwarded
# to and from the local network.

route 10.1.0.0 255.255.255.0 10.1.0.1

# The server doesn't need privileges after initialization

user _openvpn
group _openvpn
chroot /var/openvpn

verb 4
mute 10
comp-lzo

# These are conservative settings, they might not be as fast as
# possible, but they should be reliable.

mssfix 1400
fragment 1400
# OpenVPN beta 17 and later uses port 1194. Prior to that it used port 5000.
#
# These rules should block all inbound traffic to the external interface except
# OpenVPN udp port and reply packets for which state exists. It should allow
# unrestricted access for VPN users. NAT is used so ftp-proxy is necessary for
# ftp to work correctly. Also make sure that net.inet.ip.forwarding is set to
# 1 in /etc/sysctl.conf and that pf is enabled (pfctl -e , or to make permanent
# put pf=YES in /etc/rc.conf.local).

# Edit these macros for your network:

ext_if = "xl0"
int_if = "xl1"
vpn_if = "tun0"
openvpn_port = "1194"

# Network Address Translation

nat on $ext_if from !($ext_if) -> ($ext_if:0)

# Redirect outbound ftp traffic to ftp-proxy - this allows ftp on inside
# network to work through NAT. (uncomment ftp-proxy in /etc/inetd.conf)

rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

# Default deny

block log all

# Antispoof

antispoof quick for { $int_if } inet

# Pass regular and VPN traffic

pass quick on { lo0 $int_if $vpn_if } keep state
pass in quick on $ext_if inet proto udp from any to ($ext_if) port $openvpn_port keep state
pass out quick on $ext_if from ($ext_if) to any keep state