sclaggett

Setting up a router/firewall/VPN combo with OpenBSD 5.2 and OpenVPN 2.2.2

A reliable and secure VPN can be set up by installing OpenVPN on an OpenBSD server. What follows are instructions for configuring an OpenBSD 5.2 server to play the roles of firewall, router and OpenVPN 2.2.2 server. The system has two physical Ethernet interfaces, one for connecting to the outside world and the other for connecting to the protected internal network. Figure 1 shows the layout of the system described in this document.

Figure 1
Figure 1. Overview of the network and VPN configuration.

The particular IP addresses of your installation may be different from those shown in Figure 1. The key configuration parameters to be aware of and possibly change to fit your needs are listed in Table 1.

Table 1: Network configuration parameters.
Name Value Description
External    
VPN server IP address Not shown IP address of the VPN as seen by the outside world (corresponds to the cable modem’s WAN IP address)
DNS server 1 IP address 209.18.47.61 First DNS IP address provided to the cable modem
DNS server 2 IP address 209.18.47.62 First DNS IP address provided to the cable modem
General    
Local domain zeus.local Pick a local domain name
OpenBSD computer name openvpn.zeus.local Pick a name for the OpenBSD computer
External network interface    
External Ethernet interface rl0 Assigned automatically by OpenBSD
External subnet 10.1.1.0/255.255.255.0 IP and netmask of the external subnet
External IP address 10.1.1.5 Static IP address of the external interface
Internal network interface    
Internal Ethernet interface em0 Assigned automatically by OpenBSD
Internal subnet 10.4.4.0/255.255.255.0 IP and netmask of the internal subnet
Internal IP address 10.4.4.1 Static IP address of the internal interface
DHCP IP address range 10.4.4.100-10.4.4.250 Range of addresses reserved for assignment via DHCP
VPN    
VPN subnet 10.8.0.0/255.255.255.0 IP and netmask of the VPN subnet
VPN gateway IP address 10.8.0.1 IP address of the VPN gateway

There are a number of configuration files needed to build up the system. The files are accessible through a GitHub repository and are described in Table 2.

Table 2: Configuration files.
File Purpose
$/server/etc/sysctl.conf Enables IP forwarding between network interfaces
$/server/etc/rc.local Starts OpenVPN as a daemon on boot
$/server/etc/rc.conf.local Enables packet filter and the DHCP server
$/server/etc/pf.conf Specifies routing and firewall rules
$/server/etc/dhcpd.conf Internal DHCP server settings
$/server/etc/dhcpd.interfaces Sets DHCP server to listen on internal network interface
$/server/etc/resolv.conf Lists domain name servers
$/server/etc/openvpn/vars-fixed OpenVPN utility script tweaked to work on OpenBSD
$/server/etc/openvpn/server.conf OpenVPN server configuration
$/client/client.ovpn OpenVPN client configuration

Server configuration

  1. Install OpenBSD 5.2 on the VPN computer. Initially connect the external Ethernet interface to the cable modem so it can acquire a network connection via DHCP.
  2. Download the configuration files from Github:
    cd /root
    export PKG_PATH=ftp://ftp3.usa.openbsd.org/pub/OpenBSD/5.2/packages/`machine –a`
    pkg_add -v git-1.7.6p4.tgz
    git clone --depth=1 https://github.com/sclaggett/OpenVPN.git
  3. Configure the external network interface with a static IP:
    echo "inet 10.1.1.5 255.255.255.0 NONE" > /etc/hostname.rl0
  4. Configure the internal network interface with a static IP:
    echo "inet 10.4.4.1 255.255.255.0 NONE" > /etc/hostname.em0
  5. Set the default gateway and restart networking:
    echo "10.1.1.1" > /etc/mygate
    sh /etc/netstart
  6. Edit the configuration files and replace placeholders with the actual values for your network (e.g. {External Ethernet interface} should be replaced with rl0). Clarification is needed here, it's confusing!
  7. Copy the configuration files from /root/OpenVPN/ to their corresponding locations on the file system, e.g. /root/OpenVPN/server/etc/pf.conf goes to /etc/pf.conf. Backing up the default files that came with your install is probably wise. Even better, manually merge the contents of the source files into the defaults so the system is configured just the way you want.
  8. Reboot the OpenBSD machine and check if everything is sane:
    1. Can the OpenBSD machine ping your internet gateway?
      ping 10.1.1.1
    2. Can the OpenBSD machine resolve names and reach the internet?
      ping www.google.com
    3. Can a machine plugged into the internal Ethernet port obtain an IP address via DHCP?
    4. Can the internal machine ping the OpenBSD machine?
      ping 10.4.4.1
    5. Can the internal machine ping your internet gateway?
      ping 10.1.1.1
    6. Can the internal machine resolve names and reach the internet?
      ping www.google.com
  9. Install OpenVPN:
    export PKG_PATH=ftp://ftp3.usa.openbsd.org/pub/OpenBSD/5.2/packages/`machine -a`/
    sudo pkg_add -v openvpn-2.2.2p1.tgz
    cp -R /usr/local/share/examples/openvpn/easy-rsa/2.0/* /etc/openvpn/
    sudo pkg_add -v openvpn_bsdauth-7p0.tgz
  10. Create the root CA certificates:

    cd /etc/openvpn
    . ./vars-fixed
    ./clean-all
    ./build-ca

    Country US
    State CA
    Locality LosAngeles
    Organization name Zeus
    Unit name .
    Common name openvpn.zeus.local
    Name OpenVPN-Zeus-RootCA
    Email address no@email.com

    ./build-key-server server

    Country US
    State CA
    Locality LosAngeles
    Organization name Zeus
    Unit name .
    Common name server
    Name OpenVPN-Zeus-Server
    Email address no@email.com
    Challenge password [blank]
    Optional company name [blank]
    Sign certificate? y
    Certified, commit? y
  11. Generate Diffie Hellman parameters:
    ./build-dh
  12. Create a set of certificates for each client. For example, for a client named client1:

    ./build-key Zeus-Client1

    Country US
    State CA
    Locality LosAngeles
    Organization name Zeus
    Unit name .
    Common name Zeus-Client1
    Name Zeus-Client1
    Email address no@email.com
    Challenge password [blank]
    Optional company name [blank]
    Sign certificate? y
    Certified, commit? y
  13. Start the server on the command line manually to check if it boots successfully (press Ctrl-C to shut down):
    openvpn /etc/openvpn/server.conf
  14. Add VPN users to the system:

    adduser

    Default shell nologin
    Default login class default
    Default HOME partition /home
    Copy dotfiles no
    Welcome message no
    Prompt for passwords y
    Default encryption auto

    Username sbc
    Full name Shane
    Shell nologin
    Uid [accept default]
    Login group sbc _openvpnusers
    Invite into other groups no
    Login class default

Client configuration

More