87 lines
2.7 KiB
Plaintext
87 lines
2.7 KiB
Plaintext
$OpenBSD: README,v 1.7 2018/12/07 18:31:33 danj Exp $
|
|
|
|
+-----------------------------------------------------------------------
|
|
| Running ${PKGSTEM} on OpenBSD
|
|
+-----------------------------------------------------------------------
|
|
|
|
Using the openvpn rc script
|
|
---------------------------
|
|
|
|
# rcctl enable openvpn
|
|
# rcctl set openvpn flags '--config /etc/openvpn/server.conf'
|
|
|
|
To handle multiple openvpn instances see EXAMPLES in rcctl(8).
|
|
|
|
Using an /etc/hostname.* file without persist-tun
|
|
-------------------------------------------------
|
|
OpenVPN normally re-creates the tun/tap interface at startup.
|
|
This has been reported to cause problems with some PF configurations
|
|
(especially with queueing), if you run into problems with this then
|
|
OpenVPN should be started from the hostname.* file, e.g.:
|
|
|
|
# cat << EOF > /etc/hostname.tun0
|
|
up
|
|
!LD_LIBRARY_PATH=${LOCALBASE}/lib:/usr/lib ${TRUEPREFIX}/sbin/openvpn \
|
|
--daemon --config ${SYSCONFDIR}/openvpn/server.conf
|
|
EOF
|
|
|
|
(Or use hostname.tap0 for a layer-2 connection).
|
|
|
|
Using an /etc/hostname.* file with persist-tun
|
|
----------------------------------------------
|
|
When the persist-tun option is used, the tun(4) or tap(4) interface can
|
|
be configured before OpenVPN is started, just like any other interface.
|
|
|
|
The example below configures a point-to-point link between two sites
|
|
accross an OpenVPN tunnel. Site-1 has tunnel end point 10.1.1.1 and
|
|
local network 192.168.0.0/24. Site-2 has tunnel end point 10.1.1.2
|
|
and local network 192.168.1.1/24. The sites connect their local
|
|
networks via the tunnel.
|
|
|
|
Site-1:
|
|
# cat << EOF > /etc/hostname.tun0
|
|
inet 10.1.1.1 255.255.255.255 NONE
|
|
dest 10.1.1.2
|
|
!/sbin/route add -host 10.1.1.1 127.0.0.1
|
|
!/sbin/route add -net 192.168.1.1/24 10.1.1.2
|
|
EOF
|
|
|
|
Site-2:
|
|
# cat << EOF > /etc/hostname.tun0
|
|
inet 10.1.1.2 255.255.255.255 NONE
|
|
dest 10.1.1.1
|
|
!/sbin/route add -host 10.1.1.2 127.0.0.1
|
|
!/sbin/route add -net 192.168.0.0/24 10.1.1.1
|
|
EOF
|
|
|
|
In this case, there is no need to configure an IP address on the tun
|
|
interface from the OpenVPN configuration file. The tun interface will
|
|
become active when OpenVPN starts using it.
|
|
|
|
A suitable OpenVPN configuration file for site-1 might look as follows:
|
|
|
|
daemon
|
|
dev tun0
|
|
persist-tun
|
|
proto udp
|
|
local site-1.example.com
|
|
remote site-2.example.com
|
|
secret /etc/openvpn/secret.key
|
|
ping 10
|
|
ping-restart 60
|
|
|
|
Running OpenVPN in chroot
|
|
-------------------------
|
|
OpenVPN can run as an unprivileged user inside chroot when the
|
|
persist-tun, persist-key, and persist-local-ip options are used.
|
|
Note that persist-local-ip requires that OpenVPN is listening on an
|
|
interface with a static IP address. To chroot OpenVPN, use the following
|
|
as part of your configuration file:
|
|
|
|
persist-tun
|
|
persist-key
|
|
persist-local-ip
|
|
user _openvpn
|
|
group _openvpn
|
|
chroot /var/empty
|