Install
/usr/ports/security/openvpn on the remote server (client) and the local server (server).
If you are going to have only a single remote system, then you can stick with the standard port 1194. If you are going to have multiple remote clients connecting back to a single, central hub system, you'll need a separate UDP port for each remote system.
On the client, edit
/usr/local/etc/openvpn/openvpn.conf similar to:
Code:
# Device to use for the connection
dev tun0
# IP addresses for the tunnel (local remote)
ifconfig 10.x.x.1 10.x.x.2
# Other options for the tunnel device
tun-mtu 1500
# Remote IP and port to connect to
remote 1.1.1.1 1194
# Pre-shared key file
secret /usr/local/etc/openvpn/openvpn.key
# Run the daemon as a non-privileged user
user nobody
group nobody
daemon
# Keep the tun device open and the key loaded in RAM
persist-tun
persist-key
The
ifconfig line configures the tun device, and gives each end of the tunnel a private IP. The
remote line tells the OpenVPN daemon where to send the encrypted packets (the public IP of the hub server). The 1194 is the UDP port to be used for this connection.
On the local server, install OpenVPN and configure it similar to:
Code:
# Device to use for the connection
dev tun0
# IP addresses for the tunnel (local remote)
ifconfig 10.x.x.2 10.x.x.1
# Other options for the tunnel device
tun-mtu 1500
# Remote IP and port to connect to
remote 2.2.2.2 1194
# Pre-shared key file
secret /usr/local/etc/openvpn/openvpn.key
# Run the daemon as a non-privileged user
user nobody
group nobody
daemon
# Keep the tun device open and the key loaded in RAM
persist-tun
persist-key
Here, the
ifconfig line is reversed, and the
remote line has the public IP of the remote (client) system.
On one of the systems, run
openvpn -genkey to generate a pre-shared key. Copy that to
/usr/local/etc/openvpn/openvpn.key on both systems, and chown the file to root:wheel and chmod it to 600.
Add
openvpn_enable="YES" to /etc/rc.conf on each system. Then run
/usr/local/etc/rc.d/openvpn start to establish the connection.
After that, you can either:
- add static routes that direct traffic through tun0, or
- use IPFW fwd rules to direct specific traffic through the tunnel
You should also be able to use pf rdr rules to do the same, but I have no experience with pf.
You need to allow UDP traffic on port 1194 between the two hosts, so there shouldn't be any problems with passing traffic through the PIX firewall.
And that's about it, for the simple case.