PLABS
softwareguideswar roomaboutgo-home

OpenBSD: OpenVPN Server Installation
July 17, 2011

Operating System
Platform
Applications
OpenBSD
x86_64
OpenVPN

I. Abstract

This document describes the process of setting up an OpenVPN server with OpenBSD. We will also go over the setting up of an OpenVPN client on a Red Hat Enterprise Linux system.

Test Platform:

  • IBM xSeries 345 (w/ 2 Gigabit NICs)
  • 2x Intel XEON 2.66Ghz CPUs / 3GB RAM
  • OpenBSD 4.9 (i386)

Keep in mind that this document does not cover hardening the system. That process is outlined in other documents from myself or others. This machine needs to be well protected. It may be in a very vulnerable position, facing that filthy and scary Internet.

You will need root access to do most of these tasks.


II. Install and Setup the Operating Environment

I won't go into great detail for installing the operating system - you should have an idea of what you are doing.

When selecting the installation sets, stick with the defaults, but remove the game set. Normally, this is where I'd say to remove the x sets as well, but some braintrust on the OpenBSD team has made it mandatory to have X11 installed to use the ports system. Is OpenBSD drifting away from "secure by default?"

During installation of the OS, say yes when asked to start sshd by default, yes when asked to start ntpd by default and no when asked if you expect to run the X Window System.

If you are using an SMP (multi-processor) system, be sure to keep the bsd.mp kernel selected. OpenBSD now has a feature where it will automatically replace the stock bsd kernel after installation (you don't have to manually move /bsd.mp over /bsd after the first boot anymore).

When the installation is finished, remove the install media (CD, floppy, whatever) and reboot!

Now we need to fetch the ports tree. FYI, this could take a while:

# cd /usr
# cvs -qd anoncvs@mirror.planetunix.net:/cvs get -r OPENBSD_4_9 -P ports

And now the latest OpenBSD 4.9 ports tree is on your system and ready to use.


III. Install and Configure OpenVPN

We will install OpenVPN from the ports tree. One cool thing about this is that now the tun0 VPN interface is created for us, as well!

# cd /usr/ports/net/openvpn
# make install clean

That's it for the software!


IV. Generate Your Own Certificate Authority (CA)
, Create Keys and Certificates

For this step, I will setup my own Certificate Authority using the provided easy-rsa scripts from the OpenVPN installation:

# mkdir /etc/openvpn
# cd /etc/openvpn
# mkdir easy-rsa
# cd easy-rsa
# cp -R /usr/local/share/examples/openvpn/examples/easy-rsa/2.0/* .

Edit the/etc/openvpn/easy-rsa/vars file and change these lines at the bottom so that they reflect your new CA.:

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"

Setup the CA and create the first server certificate (while in the /etc/openvpn/easy-rsa directory):

# chmod g+w .
# . ./vars     (execute your new vars file - you will get an error, ignore it)
# ./clean-all     (prepare the easy-rsa directory)
# ./build-dh
# ./pkitool --initca     (creates CA certificate and key)
# ./pkitool --server server     (creates a server certificate and key)
# cd keys
# openvpn --genkey --secret ta.key ## Build a TLS key
# cp server.crt server.key ca.crt dh1024.pem ta.key ../../


V. Create Keys and Certificates

Generate Server Key and Certificate Signing Request (CSR)

Now we create an unsigned server key, and a request that you want it signed (the .csr file) by a Certificate Authority (yourself):

# openssl genrsa -aes256 -out server.key 2048
# openssl req -new -key server.key -out server.csr

Sign the CSR with the CA

# openssl x509 -req -days 1000 -in server.csr -CA ca.crt -CAkey ca.key -out server.crt

Generate Keys, Create and Sign User Certificates

Do the following for each user (or endpoint) of the VPN server:

# openssl genrsa -aes256 -out randy.key 2048
# openssl req -new -key randy.key -out randy.csr
# openssl x509 -req -days 1000 -in randy.csr -CA ca.crt -CAkey ca.key -out randy.crt

OpenVPN uses a secure protocol called Diffie-Hellman to negotiate authentication. We need to generate a set of parameters to facilitate this in a file called dh1024.pem. This file only needs to exist on the OpenVPN server. We will also create the tls-auth key, which both the server and client(s) will need.

# cd /etc/openvpn
# openssl dhparam -out dh1024.pem 1024
# openvpn --genkey --secret ta.key


VI. Configure and Start OpenVPN

server.conf

As for the server and client configurations, I will show you an example of how I did mine. Your needs will likely differ, so review this how-to for more detail on this and other processes.

This is my server.conf file, which is placed in the /etc/openvpn directory:

port 1194
proto udp
dev tun0
ca /etc/openvpn/ca/ca.crt
cert /etc/openvpn/ca/server.crt
key /etc/openvpn/ca/server.key
dh /etc/openvpn/dh1024.pem
server 192.168.8.0 255.255.255.192
ifconfig-pool-persist /etc/openvpn/ipp.txt
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
comp-lzo
max-clients 8
status /etc/openvpn/vpn-status.log
verb 4

OpenBSD Parameters

Before starting the VPN, we have to enable IP forwarding:

# sysctl net.inet.ip.forwarding=1

To make this permanent, uncomment this line in the /etc/sysctl.conf file:

#net.inet.ip.forwarding=1     # 1=Permit forwarding (routing) of IPv4 packets

Start It!

# openvpn --config /etc/openvpn/server.conf


VII. Configure Client (RHEL 6.1)

OpenVPN uses a secure protocol called Diffie-Hellman to negotiate authentication. We need to generate a set of parameters to facilitate this in a file called dh1024.pem. This file only needs to exist on the OpenVPN server. We will also create the tls-auth key, which both the server and client(s) will need.

# cd /etc/openvpn
# openssl dhparam -out dh1024.pem 1024
# openvpn --genkey --secret ta.key


VIII. Helpful Links

 


© 2001-2016 Procyon Labs / Randal T. Rioux