5acccec629
ChangeLog at https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23 ok sthen@ (maintainer) |
||
---|---|---|
.. | ||
DESCR | ||
PLIST | ||
README |
$OpenBSD: README,v 1.2 2016/04/25 18:21:09 sthen Exp $ +----------------------------------------------------------------------- | Running ${FULLPKGNAME} on OpenBSD +----------------------------------------------------------------------- Upgrading from OpenBSD 5.8 or earlier ------------------------------------- Note that in previous versions of OpenBSD, the tun(4) interface was used for both layer-3 (routed) connections, and also for layer-2 (bridged, using the "link0" flag). This was changed in OpenBSD 5.8, layer-2 (bridged) connections should now use the tap(4) interface instead as on other OS. Consult the upgrade guide for 5.9 for more information. Using an /etc/hostname.* file without persist-tun ------------------------------------------------- OpenVPN normally re-creates the tun/tap interface at startup. This has been reported to cause problems with some PF configurations (especially with queueing), if you run into problems with this then then OpenVPN should be started from the hostname.* file, e.g.: # cat << EOF > /etc/hostname.tun0 up !${TRUEPREFIX}/sbin/openvpn --daemon \ --config ${SYSCONFDIR}/openvpn/server.conf EOF (Or use hostname.tap0 for a layer-2 connection). Using an /etc/hostname.* file with persist-tun ---------------------------------------------- When the persist-tun option is used, the tun(4) or tap(4) interface can be configured before OpenVPN is started, just like any other interface. The example below configures a point-to-point link between two sites accross an OpenVPN tunnel. Site-1 has tunnel end point 10.1.1.1 and local network 192.168.0.0/24. Site-2 has tunnel end point 10.1.1.2 and local network 192.168.1.1/24. The sites connect their local networks via the tunnel. Site-1: # cat << EOF > /etc/hostname.tun0 inet 10.1.1.1 255.255.255.255 NONE dest 10.1.1.2 !/sbin/route add -host 10.1.1.1 127.0.0.1 !/sbin/route add -net 192.168.1.1/24 10.1.1.2 EOF Site-2: # cat << EOF > /etc/hostname.tun0 inet 10.1.1.2 255.255.255.255 NONE dest 10.1.1.1 !/sbin/route add -host 10.1.1.2 127.0.0.1 !/sbin/route add -net 192.168.0.0/24 10.1.1.1 EOF In this case, there is no need to configure an IP address on the tun interface from the OpenVPN configuration file. The tun interface will become active when OpenVPN starts using it. A suitable OpenVPN configuration file for site-1 might look as follows: daemon dev tun0 persist-tun proto udp local site-1.example.com remote site-2.example.com secret /etc/openvpn/secret.key ping 10 ping-restart 60 Running OpenVPN in chroot ------------------------- OpenVPN can run as an unprivileged user inside chroot when the persist-tun, persist-key, and persist-local-ip options are used. Note that persist-local-ip requires that OpenVPN is listening on an interface with a static IP address. To chroot OpenVPN, use the following as part of your configuration file: persist-tun persist-key persist-local-ip user _openvpn group _openvpn chroot /var/empty