OpenVPN
(reverted to older version) |
|||
Line 1: | Line 1: | ||
− | [http://openvpn.sourceforge.net OpenVPN] is a very useful open source, cross platform Virtual Private Networking tool. It uses SSL encryption (dynamic or 2048-bit static shared key), can use LZO stream compression, and is blindingly fast as well as much more secure compared to typical industry standard IPSEC | + | [http://openvpn.sourceforge.net OpenVPN] is a very useful open source, cross platform Virtual Private Networking tool. It uses SSL encryption (dynamic or 2048-bit static shared key), can use LZO stream compression, and is blindingly fast as well as much more secure compared to typical industry standard IPSEC DES or IPSEC 3DES solutions. Better yet, it's so simple it can be run entirely from the command line. |
==Installing== | ==Installing== | ||
Line 36: | Line 36: | ||
# Finally, open up for business. | # Finally, open up for business. | ||
# A tunnel numbered [x] is configured as follows: | # A tunnel numbered [x] is configured as follows: | ||
− | # device tun[x], port (4900 | + | # device tun[x], port (4900 [x]), network 10.10.(10 [x]) |
# Client machine is always .2, server is always .1 | # Client machine is always .2, server is always .1 | ||
Line 47: | Line 47: | ||
--dev tap0 --port 4900 --ifconfig 10.10.10.1 255.255.255.252 \ | --dev tap0 --port 4900 --ifconfig 10.10.10.1 255.255.255.252 \ | ||
--tun-mtu 1500 --tun-mtu-extra 32 --mssfix 1450 --key-method 2 \ | --tun-mtu 1500 --tun-mtu-extra 32 --mssfix 1450 --key-method 2 \ | ||
− | --secret /usr/local/etc/openvpn.key --ping 1 | + | --secret /usr/local/etc/openvpn.key --ping 1 |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + |
Revision as of 16:24, 12 April 2007
OpenVPN is a very useful open source, cross platform Virtual Private Networking tool. It uses SSL encryption (dynamic or 2048-bit static shared key), can use LZO stream compression, and is blindingly fast as well as much more secure compared to typical industry standard IPSEC DES or IPSEC 3DES solutions. Better yet, it's so simple it can be run entirely from the command line.
Installing
To build it on a FreeBSD machine, just:
cd /usr/ports/security/openvpn make install clean
it's that easy. Actually doing anything with it will require a little more work. There are many MANY ways to do this, but this one's useful, simple, and clean.
First, generate yourself a private key file and chmod it so that only its owner can read it:
ph34r# openvpn --genkey --secret /usr/local/etc/openvpn.key ph34r# chmod 400 /usr/local/etc/openvpn.key
Starting OpenVPN
Now you'll need a command to start it with. It can be done purely from the command line - and in fact, in one sense, that's exactly what we're going to do - but to make our lives a little easier, we'll actually use command line stuff from a shell script in /usr/local/etc/rc.d. So place this - or something similar - in your /usr/local/etc/rc.d:
#!/bin/sh case "$1" in start) # VPN subnets are contained in 10.10.x.x / 255.255.0.0 # port range forwarded through the router is 4900-4982 # first make sure the TAP module is loaded kldload if_tap # now ensure IP forwarding is enabled /sbin/sysctl -w net.inet.ip.forwarding=1 # Now, make sure there are enough tun* / tap* devices in /dev cd /dev /bin/sh MAKEDEV tap0 tap1 tap2 tap3 tap4 tap5 tap6 tap7 tap8 tap9 # Finally, open up for business. # A tunnel numbered [x] is configured as follows: # device tun[x], port (4900 [x]), network 10.10.(10 [x]) # Client machine is always .2, server is always .1 # note - ping-restart on server end with disconnected clients # seems to be the problem resulting in exhausted mbufs. Trying # ping-restart on client end only and hoping for the best. # 0. Server side - dynamic VPN /usr/local/sbin/openvpn \ --dev tap0 --port 4900 --ifconfig 10.10.10.1 255.255.255.252 \ --tun-mtu 1500 --tun-mtu-extra 32 --mssfix 1450 --key-method 2 \ --secret /usr/local/etc/openvpn.key --ping 1