This is part 3 in a series of posts detailing how I’m securing my Internet communications using open-source software.
It should be noted that even these measures are only securing part of my traffic. Everything that exits my VPN endpoint is protected only by whatever protocol-specific security measures are already in place (e.g. HTTPS for web traffic).
With the OpenVPN package installed and the PKI components in place, configuring and running the actual server software is straightforward. The OpenVPN package includes a sample server configuration file that makes a good starting point.
Make an OpenVPN configuration directory in /etc, and add a copy of the sample configuration, the CA certificate, the VPN server certificate and private key, and the Diffie-Hellman parameters:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
I made the following changes to the default configuration:
- Run the server on port 80, so it can be reached from networks that might restrict or firewall outbound traffic to other ports.
- Use the tun0 device.
- Enable redirect-gateway, to force all client traffic through the VPN.
- Push DNS server information addresses to clients (OpenDNS, in this case).
- Only allow 2 clients at a time (a laptop and a mobile device).
Here’s the diff of the server.conf changes:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
Note that in this configuration, the server doesn’t need to store individual client certificates. The server will only accept clients whose certificates were signed by the master CA certificate (the same one that signed the server certificate).
Configuring OpenBSD for OpenVPN
The OS requires a few additional tweaks to run OpenVPN.
Turn on packet forwarding:
Add the following line to pf.conf to perform Network Address Translation on VPN connections (the 10.8.0.0/24 block is distributed via DHCP to OpenVPN clients):
Running the OpenVPN daemon
1 2 3 4 5
Log output will appear in /var/log/daemon. At this point, there are no clients, so it’s enough that the daemon starts without errors.