View Single Post
  #6   (View Single Post)  
Old 5th July 2008
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 696
Default

Install /usr/ports/security/openvpn on the remote server (client) and the local server (server).

If you are going to have only a single remote system, then you can stick with the standard port 1194. If you are going to have multiple remote clients connecting back to a single, central hub system, you'll need a separate UDP port for each remote system.

On the client, edit /usr/local/etc/openvpn/openvpn.conf similar to:
Code:
# Device to use for the connection
dev tun0

# IP addresses for the tunnel (local remote)
ifconfig 10.x.x.1 10.x.x.2

# Other options for the tunnel device
tun-mtu 1500

# Remote IP and port to connect to
remote 1.1.1.1 1194

# Pre-shared key file
secret /usr/local/etc/openvpn/openvpn.key

# Run the daemon as a non-privileged user
user nobody
group nobody
daemon

# Keep the tun device open and the key loaded in RAM
persist-tun
persist-key
The ifconfig line configures the tun device, and gives each end of the tunnel a private IP. The remote line tells the OpenVPN daemon where to send the encrypted packets (the public IP of the hub server). The 1194 is the UDP port to be used for this connection.

On the local server, install OpenVPN and configure it similar to:
Code:
# Device to use for the connection
dev tun0

# IP addresses for the tunnel (local remote)
ifconfig 10.x.x.2 10.x.x.1

# Other options for the tunnel device
tun-mtu 1500

# Remote IP and port to connect to
remote 2.2.2.2 1194

# Pre-shared key file
secret /usr/local/etc/openvpn/openvpn.key

# Run the daemon as a non-privileged user
user nobody
group nobody
daemon

# Keep the tun device open and the key loaded in RAM
persist-tun
persist-key
Here, the ifconfig line is reversed, and the remote line has the public IP of the remote (client) system.

On one of the systems, run openvpn -genkey to generate a pre-shared key. Copy that to /usr/local/etc/openvpn/openvpn.key on both systems, and chown the file to root:wheel and chmod it to 600.

Add openvpn_enable="YES" to /etc/rc.conf on each system. Then run /usr/local/etc/rc.d/openvpn start to establish the connection.

After that, you can either:
  • add static routes that direct traffic through tun0, or
  • use IPFW fwd rules to direct specific traffic through the tunnel
You should also be able to use pf rdr rules to do the same, but I have no experience with pf.

You need to allow UDP traffic on port 1194 between the two hosts, so there shouldn't be any problems with passing traffic through the PIX firewall.

And that's about it, for the simple case.
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote