Network & Systems Architect

Welcome to my little blog. I am mostly techie over here, blogging about networking and system administration topics, but there will also be some Travel Reports from time to time…

How to OpenVPN on OpenBSD as Layer2 VPN

March 19, 2010Christian Kildau7 Comments

Getting OpenVPN running on a recent OpenBSD pretty simple. I run OpenVPN 2.1 on OpenBSD-current as of 2010/03/10 (almost 4.7) with PSK as a layer2 VPN. Layer2 because I have some zeroconf/bonjour stuff running at my LAN and I want to connect to my iTunes shares through the VPN. I’ll make it very short: Install OpenVPN from packages (or ports if you want to), configure a bridge, create a PSK and create a simple config file.

ifconfig tun0 create
ifconfig bridge0 create add fxp0 tun0
openvpn --genkey --secret /etc/openvpn/server.key

Paste this to /etc/openvpn/server.conf:

proto tcp-server 
port 1194 
dev tun0
dev-type tap
secret /etc/openvpn/server.key
push "route"
keepalive 10 60
user _openvpn 
group _openvpn

To make OpenVPN start on boot create /etc/hostname.bridge0 with:

add fxp0 
add tun0

And /etc/hostname.tun0 with: (I had to set link0 to get it working)

up link0
!/usr/local/sbin/openvpn --daemon --config /etc/openvpn/server.conf

That’s it. You can reboot to test if it’s working or just run OpenVPN with

/usr/local/sbin/openvpn --daemon --config /etc/openvpn/server.conf

A simple client configuration would look like:

proto tcp-client
dev tap
remote 1194
secret ./your.key
keepalive 10 60

Hint: Use DynDNS or something similar to use OpenVPN with a dynamically assigned IP-Address.

This article has 7 comments
  1. Norberto Altalef

    Hi Chris. Thank you for the article.
    I’m trying this setup in order to bond two tun interfaces using openvpn, since I have 2 ADSL in each remote site.
    In the main site I have a fixed internet access and I have two session of openvpn running in different udo ports, so I have 2 tun interfaces too, but in the same phisical interface.
    How can i setup the bridge in the central site ? One bridge with the physical interface and both tun ?
    Would yo explain why the bridge interface is it needed ?

    Many thanks.


    • Chris

      Assuming you want to tunnel to a remote server I think you should use a routed setup instead of a bridged one in this case.
      Just assign two separate subnets for each tunnel (e.g. for tun0 and for tun1) and create equal cost routing entries on both your local adsl router and your remote server. That’s it for the load balancing part. You’ll still need to route a public IP Address to your local box. But I’d need more information for that. Good luck.

      • Norberto Altalef

        Thanks Chris. I was in this way, but think that bonding two tun interfaces would be be simpler.
        I has running the setup with two routes and right now I’m playing with CBQ.

        Many thanks

        • Chris

          Feel free to report back if you got it working

  2. sputnik

    ifconfig bridge0 create add msk0 tun0
    ifconfig: SIOCAIFADDR: Inappropriate ioctl for device

  3. Moviuro

    You forgot the
    Option if you want clients to see each other (took me a while to find)

    Also, even though it’s old, this post is still uptodate! impressive 😉

Leave a Reply

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.