How to OpenVPN on OpenBSD as Layer2 VPN

Getting OpenVPN running on a recent OpenBSD pretty simple. I run OpenVPN 2.1 on OpenBSD-current as of 2010/03/10 (almost 4.7) with PSK as a layer2 VPN. Layer2 because I have some zeroconf/bonjour stuff running at my LAN and I want to connect to my iTunes shares through the VPN. I’ll make it very short: Install OpenVPN from packages (or ports if you want to), configure a bridge, create a PSK and create a simple config file.

1
2
3
4
pkg_add http://ftp.openbsd.org/pub/OpenBSD/4.7/packages/amd64/openvpn-2.1.0.tgz
ifconfig tun0 create
ifconfig bridge0 create add fxp0 tun0
openvpn --genkey --secret /etc/openvpn/server.key

Paste this to /etc/openvpn/server.conf:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
proto tcp-server
port 1194
dev tun0
dev-type tap
secret /etc/openvpn/server.key
push "route 10.1.0.0 255.255.0.0 10.1.16.1"
persist-key
persist-tun
ping-timer-rem
keepalive 10 60
user _openvpn 
group _openvpn

To make OpenVPN start on boot create /etc/hostname.bridge0 with:

1
2
3
add fxp0 
add tun0
up

And /etc/hostname.tun0 with: (I had to set link0 to get it working)

1
2
up link0
!/usr/local/sbin/openvpn --daemon --config /etc/openvpn/server.conf

That’s it. You can reboot to test if it’s working or just run OpenVPN with

1
/usr/local/sbin/openvpn --daemon --config /etc/openvpn/server.conf

A simple client configuration would look like:

1
2
3
4
5
6
7
8
proto tcp-client
dev tap
remote you.example.org 1194
secret ./your.key
persist-key
persist-tun
ping-timer-rem
keepalive 10 60
Hint: Use DynDNS or something similar to use OpenVPN with a dynamically assigned IP-Address.