Getting OpenVPN running on a recent OpenBSD pretty simple. I run OpenVPN 2.1 on OpenBSD-current as of 2010/03/10 (almost 4.7) with PSK as a layer2 VPN. Layer2 because I have some zeroconf/bonjour stuff running at my LAN and I want to connect to my iTunes shares through the VPN. I’ll make it very short: Install OpenVPN from packages (or ports if you want to), configure a bridge, create a PSK and create a simple config file.
pkg_add http://ftp.openbsd.org/pub/OpenBSD/4.7/packages/amd64/openvpn-2.1.0.tgz
ifconfig tun0 create
ifconfig bridge0 create add fxp0 tun0
openvpn --genkey --secret /etc/openvpn/server.key
Paste this to /etc/openvpn/server.conf:
proto tcp-server
port 1194
dev tun0
dev-type tap
secret /etc/openvpn/server.key
push "route 10.1.0.0 255.255.0.0 10.1.16.1"
persist-key
persist-tun
ping-timer-rem
keepalive 10 60
user _openvpn
group _openvpn
To make OpenVPN start on boot create /etc/hostname.bridge0 with:
add fxp0
add tun0
up
And /etc/hostname.tun0 with: (I had to set link0 to get it working)
up link0
!/usr/local/sbin/openvpn --daemon --config /etc/openvpn/server.conf
That’s it. You can reboot to test if it’s working or just run OpenVPN with
/usr/local/sbin/openvpn --daemon --config /etc/openvpn/server.conf
A simple client configuration would look like:
proto tcp-client
dev tap
remote you.example.org 1194
secret ./your.key
persist-key
persist-tun
ping-timer-rem
keepalive 10 60
Hint: Use DynDNS or something similar to use OpenVPN with a dynamically assigned IP-Address.
Hi, my name is Chris. I am a wannabe photog, traveler & geek that lives in Hesse, Germany. 
follow me on Twitter
A travel, photography & nerd blog
Hi Chris. Thank you for the article.
I’m trying this setup in order to bond two tun interfaces using openvpn, since I have 2 ADSL in each remote site.
In the main site I have a fixed internet access and I have two session of openvpn running in different udo ports, so I have 2 tun interfaces too, but in the same phisical interface.
How can i setup the bridge in the central site ? One bridge with the physical interface and both tun ?
Would yo explain why the bridge interface is it needed ?
Many thanks.
Norberto
+
Assuming you want to tunnel to a remote server I think you should use a routed setup instead of a bridged one in this case.
Just assign two separate subnets for each tunnel (e.g. 10.0.0.0/30 for tun0 and 10.0.0.4/30 for tun1) and create equal cost routing entries on both your local adsl router and your remote server. That’s it for the load balancing part. You’ll still need to route a public IP Address to your local box. But I’d need more information for that. Good luck.
Thanks Chris. I was in this way, but think that bonding two tun interfaces would be be simpler.
I has running the setup with two routes and right now I’m playing with CBQ.
Many thanks
Norberto
+
Feel free to report back if you got it working
[...] http://www.chrisk.de/blog/2010/03/how-to-openvpn-on-openbsd-as-layer2-vpn/ [...]