cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2ec950a657
openbsd-ports/net/openvpn/pkg
History
jsing 3113bc5481 Include openvpn-plugin.h in openvpn package. 
ok sthen@
2012-01-27 12:30:28 +00:00
..
DESCR
PLIST Include openvpn-plugin.h in openvpn package. 2012-01-27 12:30:28 +00:00
README Move MESSAGE to README. Explain how to configure tun devices with 2011-11-02 16:45:02 +00:00

README 

$OpenBSD: README,v 1.1 2011/11/02 16:45:02 stsp Exp $

+-----------------------------------------------------------------------
| Running ${FULLPKGNAME} on OpenBSD
+-----------------------------------------------------------------------

Using /etc/hostname.tun0 without persist-tun
============================================

OpenVPN re-creates the tun(4) interface at startup, unless the
persist-tun option is given in the configuration file. When not using
persist-tun, compatibility with PF is improved by starting OpenVPN from
hostname.if(5).  For example:

# cat << EOF > /etc/hostname.tun0
up
!${TRUEPREFIX}/sbin/openvpn --daemon \
    --config ${SYSCONFDIR}/openvpn/server.conf
EOF

Using /etc/hostname.tun0 with persist-tun
=========================================

When the persist-tun option is used, the tun(4) interface can be
configured before OpenVPN is started, just like any other interface.

The example below configures a point-to-point link between two sites
accross an OpenVPN tunnel. Site-1 has tunnel end point 10.1.1.1 and
local network 192.168.0.0/24. Site-2 has tunnel end point 10.1.1.2
and local network 192.168.1.1/24. The sites connect their local
networks via the tunnel.

Site-1:
# cat << EOF > /etc/hostname.tun0
inet 10.1.1.1 255.255.255.255 NONE
dest 10.1.1.2
!/sbin/route add -host 10.1.1.1 127.0.0.1
!/sbin/route add -net 192.168.1.1/24 10.1.1.2
EOF

Site-2:
# cat << EOF > /etc/hostname.tun0
inet 10.1.1.2 255.255.255.255 NONE
dest 10.1.1.1
!/sbin/route add -host 10.1.1.2 127.0.0.1
!/sbin/route add -net 192.168.0.0/24 10.1.1.1
EOF

In this case, there is no need to configure an IP address on the tun
interface from the OpenVPN configuration file. The tun interface will
become active when OpenVPN starts using it.

A suitable OpenVPN configuration file for site-1 might look as follows:

  daemon
  dev tun0
  persist-tun
  proto udp
  local site-1.example.com
  remote site-2.example.com
  secret /etc/openvpn/secret.key
  ping 10
  ping-restart 60

Running OpenVPN in chroot
=========================

OpenVPN can run as an unprivileged user inside chroot when the
persist-tun, persist-key, and persist-local-ip options are used.
Note that persist-local-ip requires that OpenVPN is listening on an
interface with a static IP address. To chroot OpenVPN, use the following
as part of your configuration file:

  persist-tun
  persist-key
  persist-local-ip
  user _openvpn
  group _openvpn
  chroot /var/empty