This is part 2 in a series of posts detailing how I’m securing my Internet communications using open-source software.
In part 1, I set up an OpenBSD VPS with full-disk encryption and the minimum OS install necessary to run OpenVPN.
It should be noted that even these measures are only securing part of my traffic. Everything that exits my VPN endpoint is protected only by whatever protocol-specific security measures are already in place (e.g. HTTPS for web traffic).
Part 5 of this series covers some changes to this process for OpenBSD 5.4!
Installing and configuring the OpenVPN package can seem daunting at first, but given a relatively simple VPN architecture (many clients, one server), the setup is straightforward. Many of the steps below are cribbed from the OpenVPN section of “Building VPNs on OpenBSD”, which is 4 years old but still informative.
Install the OpenVPN package from the installation media or an official OpenBSD mirror site. The OpenBSD FAQ has instructions for setting up the package system.
1 2 3
Next, make a copy of the easy-rsa directory:
Public Key Infrastructure (PKI) Configuration
The version of easy-rsa that’s included with OpenVPN on OpenBSD 5.3 is missing the whichopenssl script, so in the vars file, the KEY_CONFIG line must be edited in addition to the other KEY* lines. Here is a diff with my changes:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
Because they are likely to change for each certificate generated, the KEY_EMAIL, KEY_CN, KEY_NAME, and KEY_OU values can be removed from the file.
After editing the vars file, source it and run these scripts to setup the PKI system:
1 2 3 4
Generate a certificate for the VPN server:
And one or more client certificates:
The keys directory should now be full of certificates, keys, and signing requests:
1 2 3 4 5 6 7 8 9 10 11 12 13 14