OpenVPN
| Line 1: | Line 1: | ||
| − | [http://openvpn.sourceforge.net OpenVPN] is a very useful open source, cross platform Virtual Private Networking tool. It uses SSL encryption (dynamic or 2048-bit static shared key), can use LZO stream compression, and is blindingly fast as well as much more secure compared to typical industry standard IPSEC | + | [http://openvpn.sourceforge.net OpenVPN] is a very useful open source, cross platform Virtual Private Networking tool. It uses SSL encryption (dynamic or 2048-bit static shared key), can use LZO stream compression, and is blindingly fast as well as much more secure compared to typical industry standard IPSEC + DES or IPSEC + 3DES solutions. Better yet, it's so simple it can be run entirely from the command line. |
==Installing== | ==Installing== | ||
| Line 36: | Line 36: | ||
# Finally, open up for business. | # Finally, open up for business. | ||
# A tunnel numbered [x] is configured as follows: | # A tunnel numbered [x] is configured as follows: | ||
| − | # device tun[x], port (4900 | + | # device tun[x], port (4900 + [x]), network 10.10.(10 + [x]) |
# Client machine is always .2, server is always .1 | # Client machine is always .2, server is always .1 | ||
| Line 47: | Line 47: | ||
--dev tap0 --port 4900 --ifconfig 10.10.10.1 255.255.255.252 \ | --dev tap0 --port 4900 --ifconfig 10.10.10.1 255.255.255.252 \ | ||
--tun-mtu 1500 --tun-mtu-extra 32 --mssfix 1450 --key-method 2 \ | --tun-mtu 1500 --tun-mtu-extra 32 --mssfix 1450 --key-method 2 \ | ||
| − | --secret /usr/local/etc/openvpn.key --ping 1 | + | --secret /usr/local/etc/openvpn.key --ping 1 & |
| + | |||
| + | # # 1a. Client side - persistent VPN | ||
| + | # /usr/local/sbin/openvpn \ | ||
| + | # --dev tap1 \ | ||
| + | # --remote ''ip_or_hostname.to.connect.to'' \ | ||
| + | # --secret /usr/local/etc/openvpn.key \ | ||
| + | # --key-method 2 \ | ||
| + | # --port 4901 \ | ||
| + | # --ifconfig 10.10.11.2 255.255.255.252 \ | ||
| + | # --route 192.168.1.0 255.255.255.0 10.10.11.1 \ | ||
| + | # --tun-mtu 1500 --tun-mtu-extra 32 \ | ||
| + | # --fragment 1300 --mssfix \ | ||
| + | # --persist-tun --persist-key --resolv-retry 86400 \ | ||
| + | # --ping 10 --ping-restart 15 \ | ||
| + | # --verb 4 --mute 10 & | ||
| + | |||
| + | # 1b. Server side - persistent VPN | ||
| + | /usr/local/sbin/openvpn \ | ||
| + | --dev tap1 \ | ||
| + | --secret /usr/local/etc/openvpn.key \ | ||
| + | --key-method 2 \ | ||
| + | --port 4901 \ | ||
| + | --ifconfig 10.10.11.1 255.255.255.252 \ | ||
| + | --route 192.168.1.0 255.255.255.0 10.10.11.2 \ | ||
| + | --tun-mtu 1500 --tun-mtu-extra 32 \ | ||
| + | --fragment 1300 --mssfix \ | ||
| + | --persist-tun --persist-key --resolv-retry 86400 \ | ||
| + | --ping 10 --ping-restart 15 \ | ||
| + | --verb 4 --mute 10 & | ||
| + | |||
| + | |||
| + | # end section | ||
| + | ;; | ||
| + | |||
| + | stop) | ||
| + | killall openvpn | ||
| + | ;; | ||
| + | *) | ||
| + | echo "Usage: `basename $0` {start|stop}" >&2 | ||
| + | ;; | ||
| + | esac | ||
| + | |||
| + | exit 0 | ||
| + | |||
| + | Don't forget to '''chmod 755 /usr/local/etc/rc.d/openvpn.sh''' to make sure you can execute it. | ||
| + | |||
| + | What you've got there is a setup (which can be started up or stopped like any other rc.d script - '''/usr/local/etc/rc.d/openvpn.sh start''' or '''stop''') which provides for two tunnels - one coming from a Windows machine, probably a laptop or something (labeled "dynamic VPN"; more on that in a minute) and one (labeled "persistent VPN") from another BSD or other *nix machine. | ||
| + | |||
| + | All we'll do on the other *nix box is copy over the '''openvpn.key''' we created on this machine, copy over this same script, comment out the: | ||
| + | |||
| + | * '''# 1b. Server side - persistent VPN''' section | ||
| + | * ''un''comment the '''# 1a. Client side - persistent VPN''' side | ||
| + | * and fire it up. | ||
| + | |||
| + | Once the scripts have been started on both machines (obviously you'll need a routeable IP address for at least the machine on the "server" side), presto, you've got a tunnel! | ||
| + | |||
| + | Obviously this article is unfinished, but work beckons. More later. | ||
| + | |||
| + | [[Category:Ports and Packages]][[Category:Common Tasks]] | ||
Revision as of 04:04, 30 April 2007
OpenVPN is a very useful open source, cross platform Virtual Private Networking tool. It uses SSL encryption (dynamic or 2048-bit static shared key), can use LZO stream compression, and is blindingly fast as well as much more secure compared to typical industry standard IPSEC + DES or IPSEC + 3DES solutions. Better yet, it's so simple it can be run entirely from the command line.
Installing
To build it on a FreeBSD machine, just:
cd /usr/ports/security/openvpn make install clean
it's that easy. Actually doing anything with it will require a little more work. There are many MANY ways to do this, but this one's useful, simple, and clean.
First, generate yourself a private key file and chmod it so that only its owner can read it:
ph34r# openvpn --genkey --secret /usr/local/etc/openvpn.key ph34r# chmod 400 /usr/local/etc/openvpn.key
Starting OpenVPN
Now you'll need a command to start it with. It can be done purely from the command line - and in fact, in one sense, that's exactly what we're going to do - but to make our lives a little easier, we'll actually use command line stuff from a shell script in /usr/local/etc/rc.d. So place this - or something similar - in your /usr/local/etc/rc.d:
#!/bin/sh
case "$1" in
start)
# VPN subnets are contained in 10.10.x.x / 255.255.0.0
# port range forwarded through the router is 4900-4982
# first make sure the TAP module is loaded
kldload if_tap
# now ensure IP forwarding is enabled
/sbin/sysctl -w net.inet.ip.forwarding=1
# Now, make sure there are enough tun* / tap* devices in /dev
cd /dev
/bin/sh MAKEDEV tap0 tap1 tap2 tap3 tap4 tap5 tap6 tap7 tap8 tap9
# Finally, open up for business.
# A tunnel numbered [x] is configured as follows:
# device tun[x], port (4900 + [x]), network 10.10.(10 + [x])
# Client machine is always .2, server is always .1
# note - ping-restart on server end with disconnected clients
# seems to be the problem resulting in exhausted mbufs. Trying
# ping-restart on client end only and hoping for the best.
# 0. Server side - dynamic VPN
/usr/local/sbin/openvpn \
--dev tap0 --port 4900 --ifconfig 10.10.10.1 255.255.255.252 \
--tun-mtu 1500 --tun-mtu-extra 32 --mssfix 1450 --key-method 2 \
--secret /usr/local/etc/openvpn.key --ping 1 &
# # 1a. Client side - persistent VPN
# /usr/local/sbin/openvpn \
# --dev tap1 \
# --remote ip_or_hostname.to.connect.to \
# --secret /usr/local/etc/openvpn.key \
# --key-method 2 \
# --port 4901 \
# --ifconfig 10.10.11.2 255.255.255.252 \
# --route 192.168.1.0 255.255.255.0 10.10.11.1 \
# --tun-mtu 1500 --tun-mtu-extra 32 \
# --fragment 1300 --mssfix \
# --persist-tun --persist-key --resolv-retry 86400 \
# --ping 10 --ping-restart 15 \
# --verb 4 --mute 10 &
# 1b. Server side - persistent VPN
/usr/local/sbin/openvpn \
--dev tap1 \
--secret /usr/local/etc/openvpn.key \
--key-method 2 \
--port 4901 \
--ifconfig 10.10.11.1 255.255.255.252 \
--route 192.168.1.0 255.255.255.0 10.10.11.2 \
--tun-mtu 1500 --tun-mtu-extra 32 \
--fragment 1300 --mssfix \
--persist-tun --persist-key --resolv-retry 86400 \
--ping 10 --ping-restart 15 \
--verb 4 --mute 10 &
# end section
;;
stop)
killall openvpn
;;
*)
echo "Usage: `basename $0` {start|stop}" >&2
;;
esac
exit 0
Don't forget to chmod 755 /usr/local/etc/rc.d/openvpn.sh to make sure you can execute it.
What you've got there is a setup (which can be started up or stopped like any other rc.d script - /usr/local/etc/rc.d/openvpn.sh start or stop) which provides for two tunnels - one coming from a Windows machine, probably a laptop or something (labeled "dynamic VPN"; more on that in a minute) and one (labeled "persistent VPN") from another BSD or other *nix machine.
All we'll do on the other *nix box is copy over the openvpn.key we created on this machine, copy over this same script, comment out the:
- # 1b. Server side - persistent VPN section
- uncomment the # 1a. Client side - persistent VPN side
- and fire it up.
Once the scripts have been started on both machines (obviously you'll need a routeable IP address for at least the machine on the "server" side), presto, you've got a tunnel!
Obviously this article is unfinished, but work beckons. More later.
