Setting up a router/firewall/VPN combo with OpenBSD 5.2 and OpenVPN 2.2.2
A reliable and secure VPN can be set up by installing OpenVPN on an OpenBSD server. What follows are instructions for configuring an OpenBSD 5.2 server to play the roles of firewall, router and OpenVPN 2.2.2 server. The system has two physical Ethernet interfaces, one for connecting to the outside world and the other for connecting to the protected internal network. Figure 1 shows the layout of the system described in this document.
Figure 1. Overview of the network and VPN configuration.
The particular IP addresses of your installation may be different from those shown in Figure 1. The key configuration parameters to be aware of and possibly change to fit your needs are listed in Table 1.
Name | Value | Description |
---|---|---|
External | ||
VPN server IP address | Not shown | IP address of the VPN as seen by the outside world (corresponds to the cable modem’s WAN IP address) |
DNS server 1 IP address | 209.18.47.61 | First DNS IP address provided to the cable modem |
DNS server 2 IP address | 209.18.47.62 | First DNS IP address provided to the cable modem |
General | ||
Local domain | zeus.local | Pick a local domain name |
OpenBSD computer name | openvpn.zeus.local | Pick a name for the OpenBSD computer |
External network interface | ||
External Ethernet interface | rl0 | Assigned automatically by OpenBSD |
External subnet | 10.1.1.0/255.255.255.0 | IP and netmask of the external subnet |
External IP address | 10.1.1.5 | Static IP address of the external interface |
Internal network interface | ||
Internal Ethernet interface | em0 | Assigned automatically by OpenBSD |
Internal subnet | 10.4.4.0/255.255.255.0 | IP and netmask of the internal subnet |
Internal IP address | 10.4.4.1 | Static IP address of the internal interface |
DHCP IP address range | 10.4.4.100-10.4.4.250 | Range of addresses reserved for assignment via DHCP |
VPN | ||
VPN subnet | 10.8.0.0/255.255.255.0 | IP and netmask of the VPN subnet |
VPN gateway IP address | 10.8.0.1 | IP address of the VPN gateway |
There are a number of configuration files needed to build up the system. The files are accessible through a GitHub repository and are described in Table 2.
File | Purpose |
---|---|
$/server/etc/sysctl.conf | Enables IP forwarding between network interfaces |
$/server/etc/rc.local | Starts OpenVPN as a daemon on boot |
$/server/etc/rc.conf.local | Enables packet filter and the DHCP server |
$/server/etc/pf.conf | Specifies routing and firewall rules |
$/server/etc/dhcpd.conf | Internal DHCP server settings |
$/server/etc/dhcpd.interfaces | Sets DHCP server to listen on internal network interface |
$/server/etc/resolv.conf | Lists domain name servers |
$/server/etc/openvpn/vars-fixed | OpenVPN utility script tweaked to work on OpenBSD |
$/server/etc/openvpn/server.conf | OpenVPN server configuration |
$/client/client.ovpn | OpenVPN client configuration |
Server configuration
- Install OpenBSD 5.2 on the VPN computer. Initially connect the external Ethernet interface to the cable modem so it can acquire a network connection via DHCP.
- Download the configuration files from Github:
cd /root
export PKG_PATH=ftp://ftp3.usa.openbsd.org/pub/OpenBSD/5.2/packages/`machine –a`
pkg_add -v git-1.7.6p4.tgz
git clone --depth=1 https://github.com/sclaggett/OpenVPN.git - Configure the external network interface with a static IP:
echo "inet 10.1.1.5 255.255.255.0 NONE" > /etc/hostname.rl0
- Configure the internal network interface with a static IP:
echo "inet 10.4.4.1 255.255.255.0 NONE" > /etc/hostname.em0
- Set the default gateway and restart networking:
echo "10.1.1.1" > /etc/mygate
sh /etc/netstart - Edit the configuration files and replace placeholders with the actual values for your network (e.g. {External Ethernet interface} should be replaced with rl0). Clarification is needed here, it's confusing!
- Copy the configuration files from /root/OpenVPN/ to their corresponding locations on the file system, e.g. /root/OpenVPN/server/etc/pf.conf goes to /etc/pf.conf. Backing up the default files that came with your install is probably wise. Even better, manually merge the contents of the source files into the defaults so the system is configured just the way you want.
- Reboot the OpenBSD machine and check if everything is sane:
- Can the OpenBSD machine ping your internet gateway?
ping 10.1.1.1
- Can the OpenBSD machine resolve names and reach the internet?
ping www.google.com
- Can a machine plugged into the internal Ethernet port obtain an IP address via DHCP?
- Can the internal machine ping the OpenBSD machine?
ping 10.4.4.1
- Can the internal machine ping your internet gateway?
ping 10.1.1.1
- Can the internal machine resolve names and reach the internet?
ping www.google.com
- Can the OpenBSD machine ping your internet gateway?
- Install OpenVPN:
export PKG_PATH=ftp://ftp3.usa.openbsd.org/pub/OpenBSD/5.2/packages/`machine -a`/
sudo pkg_add -v openvpn-2.2.2p1.tgz
cp -R /usr/local/share/examples/openvpn/easy-rsa/2.0/* /etc/openvpn/
sudo pkg_add -v openvpn_bsdauth-7p0.tgz - Create the root CA certificates:
cd /etc/openvpn
. ./vars-fixed
./clean-all
./build-caCountry US State CA Locality LosAngeles Organization name Zeus Unit name . Common name openvpn.zeus.local Name OpenVPN-Zeus-RootCA Email address no@email.com ./build-key-server server
Country US State CA Locality LosAngeles Organization name Zeus Unit name . Common name server Name OpenVPN-Zeus-Server Email address no@email.com Challenge password [blank] Optional company name [blank] Sign certificate? y Certified, commit? y - Generate Diffie Hellman parameters:
./build-dh
- Create a set of certificates for each client. For example, for a client named client1:
./build-key Zeus-Client1
Country US State CA Locality LosAngeles Organization name Zeus Unit name . Common name Zeus-Client1 Name Zeus-Client1 Email address no@email.com Challenge password [blank] Optional company name [blank] Sign certificate? y Certified, commit? y - Start the server on the command line manually to check if it boots successfully (press Ctrl-C to shut down):
openvpn /etc/openvpn/server.conf
- Add VPN users to the system:
adduser
Default shell nologin Default login class default Default HOME partition /home Copy dotfiles no Welcome message no Prompt for passwords y Default encryption auto Username sbc Full name Shane Shell nologin Uid [accept default] Login group sbc _openvpnusers Invite into other groups no Login class default
Client configuration
More