Christian

Kildau

Network Engineer


Welcome to my little blog. I am mostly techie over here, blogging about networking and system administration topics, but there will also be some Travel Reports from time to time…

How to OpenVPN on OpenBSD as Layer2 VPN

March 19, 2010Christian Kildau7 Comments

Getting OpenVPN running on a recent OpenBSD pretty simple. I run OpenVPN 2.1 on OpenBSD-current as of 2010/03/10 (almost 4.7) with PSK as a layer2 VPN. Layer2 because I have some zeroconf/bonjour stuff running at my LAN and I want to connect to my iTunes shares through the VPN. I’ll make it very short: Install OpenVPN from packages (or ports if you want to), configure a bridge, create a PSK and create a simple config file.

1
2
3
4
pkg_add http://ftp.openbsd.org/pub/OpenBSD/4.7/packages/amd64/openvpn-2.1.0.tgz
ifconfig tun0 create
ifconfig bridge0 create add fxp0 tun0
openvpn --genkey --secret /etc/openvpn/server.key

Paste this to /etc/openvpn/server.conf:

1
2
3
4
5
6
7
8
9
10
11
12
proto tcp-server 
port 1194 
dev tun0
dev-type tap
secret /etc/openvpn/server.key
push "route 10.1.0.0 255.255.0.0 10.1.16.1"
persist-key
persist-tun
ping-timer-rem
keepalive 10 60
user _openvpn 
group _openvpn

To make OpenVPN start on boot create /etc/hostname.bridge0 with:

1
2
3
add fxp0 
add tun0
up

And /etc/hostname.tun0 with: (I had to set link0 to get it working)

1
2
up link0
!/usr/local/sbin/openvpn --daemon --config /etc/openvpn/server.conf

That’s it. You can reboot to test if it’s working or just run OpenVPN with

1
/usr/local/sbin/openvpn --daemon --config /etc/openvpn/server.conf

A simple client configuration would look like:

1
2
3
4
5
6
7
8
proto tcp-client
dev tap
remote you.example.org 1194
secret ./your.key
persist-key
persist-tun
ping-timer-rem
keepalive 10 60

Hint: Use DynDNS or something similar to use OpenVPN with a dynamically assigned IP-Address.

This article has 7 comments
  1. Norberto Altalef
    2010/12/30

    Hi Chris. Thank you for the article.
    I’m trying this setup in order to bond two tun interfaces using openvpn, since I have 2 ADSL in each remote site.
    In the main site I have a fixed internet access and I have two session of openvpn running in different udo ports, so I have 2 tun interfaces too, but in the same phisical interface.
    How can i setup the bridge in the central site ? One bridge with the physical interface and both tun ?
    Would yo explain why the bridge interface is it needed ?

    Many thanks.

    Norberto
    +

    • Chris
      2010/12/30

      Assuming you want to tunnel to a remote server I think you should use a routed setup instead of a bridged one in this case.
      Just assign two separate subnets for each tunnel (e.g. 10.0.0.0/30 for tun0 and 10.0.0.4/30 for tun1) and create equal cost routing entries on both your local adsl router and your remote server. That’s it for the load balancing part. You’ll still need to route a public IP Address to your local box. But I’d need more information for that. Good luck.

      • Norberto Altalef
        2011/01/03

        Thanks Chris. I was in this way, but think that bonding two tun interfaces would be be simpler.
        I has running the setup with two routes and right now I’m playing with CBQ.

        Many thanks
        Norberto
        +

        • Chris
          2011/01/06

          Feel free to report back if you got it working

  2. sputnik
    2012/12/11

    ifconfig bridge0 create add msk0 tun0
    ifconfig: SIOCAIFADDR: Inappropriate ioctl for device

  3. Moviuro
    2014/06/10

    You forgot the
    client-to-client
    Option if you want clients to see each other (took me a while to find)

    Also, even though it’s old, this post is still uptodate! impressive 😉


Leave a Reply