openbsd-ports/net/openvpn/pkg
2016-11-29 09:22:02 +00:00
..
DESCR
PLIST Update to openvpn-2.3.13 2016-11-29 09:22:02 +00:00
README

$OpenBSD: README,v 1.2 2016/04/25 18:21:09 sthen Exp $

+-----------------------------------------------------------------------
| Running ${FULLPKGNAME} on OpenBSD
+-----------------------------------------------------------------------

Upgrading from OpenBSD 5.8 or earlier
-------------------------------------
Note that in previous versions of OpenBSD, the tun(4) interface was
used for both layer-3 (routed) connections, and also for layer-2
(bridged, using the "link0" flag). This was changed in OpenBSD 5.8,
layer-2 (bridged) connections should now use the tap(4) interface
instead as on other OS. Consult the upgrade guide for 5.9 for more
information.

Using an /etc/hostname.* file without persist-tun
-------------------------------------------------
OpenVPN normally re-creates the tun/tap interface at startup.
This has been reported to cause problems with some PF configurations
(especially with queueing), if you run into problems with this then
then OpenVPN should be started from the hostname.* file, e.g.:

# cat << EOF > /etc/hostname.tun0
up
!${TRUEPREFIX}/sbin/openvpn --daemon \
    --config ${SYSCONFDIR}/openvpn/server.conf
EOF

(Or use hostname.tap0 for a layer-2 connection).

Using an /etc/hostname.* file with persist-tun
----------------------------------------------
When the persist-tun option is used, the tun(4) or tap(4) interface can
be configured before OpenVPN is started, just like any other interface.

The example below configures a point-to-point link between two sites
accross an OpenVPN tunnel. Site-1 has tunnel end point 10.1.1.1 and
local network 192.168.0.0/24. Site-2 has tunnel end point 10.1.1.2
and local network 192.168.1.1/24. The sites connect their local
networks via the tunnel.

Site-1:
# cat << EOF > /etc/hostname.tun0
inet 10.1.1.1 255.255.255.255 NONE
dest 10.1.1.2
!/sbin/route add -host 10.1.1.1 127.0.0.1
!/sbin/route add -net 192.168.1.1/24 10.1.1.2
EOF

Site-2:
# cat << EOF > /etc/hostname.tun0
inet 10.1.1.2 255.255.255.255 NONE
dest 10.1.1.1
!/sbin/route add -host 10.1.1.2 127.0.0.1
!/sbin/route add -net 192.168.0.0/24 10.1.1.1
EOF

In this case, there is no need to configure an IP address on the tun
interface from the OpenVPN configuration file. The tun interface will
become active when OpenVPN starts using it.

A suitable OpenVPN configuration file for site-1 might look as follows:

  daemon
  dev tun0
  persist-tun
  proto udp
  local site-1.example.com
  remote site-2.example.com
  secret /etc/openvpn/secret.key
  ping 10
  ping-restart 60

Running OpenVPN in chroot
-------------------------
OpenVPN can run as an unprivileged user inside chroot when the
persist-tun, persist-key, and persist-local-ip options are used.
Note that persist-local-ip requires that OpenVPN is listening on an
interface with a static IP address. To chroot OpenVPN, use the following
as part of your configuration file:

  persist-tun
  persist-key
  persist-local-ip
  user _openvpn
  group _openvpn
  chroot /var/empty