echothrust/howtos

A list of OpenBSD (mostly) material

View on GitHub

OpenVPN on OpenBSD

Installation (NOT COMPLETE)

1) Installation through http://www.openbsdsupport.org/openvpn-on-openbsd.html 2) Use of our ansible playbook found on devops reepo (plays/openbsd-openvpn.yml)

Important files and directories (inside /etc/openvpn)

Administering

Things to keep in mind when setting up a standalone VPN server for echoCTF

Server Configuration example

########## SERVER CONF ##########
# SERVER CERT CONF
ca /etc/openvpn/certs/echoCTF-OVPN-CA.crt
cert /etc/openvpn/certs/echoCTF-OVPN-Server.crt
key /etc/openvpn/private/echoCTF-OVPN-Server.key
dh /etc/openvpn/dh.pem

# SERVER GENERAL CONF
local 172.16.10.64
writepid /var/run/openvpn.pid
ifconfig-pool-persist /var/openvpn/ipp.txt
tls-auth /etc/openvpn/private/vpn-ta.key 0 # This file is secret
replay-persist /etc/openvpn/replay-persist-file
max-clients 500
status /var/log/openvpn/openvpn-status.log
log-append  /var/log/openvpn/openvpn.log
proto udp4  #or use udp if works better
port 1194
management 127.0.0.1 11195 /etc/openvpn/private/mgmt.pwd
daemon openvpn
chroot /var/openvpn/chrootjail
crl-verify /etc/openvpn/crl.pem
float
persist-key
persist-tun
user _openvpn
group _openvpn

#Additional authorization options - needs to be configured - read further before enabling this
;auth-user-pass-verify /var/openvpn/custom-simple-auth via-env
;script-security 3
keepalive 10 120
comp-lzo
verb 3

# Allow multiple client with the same certificate
duplicate-cn
# Enable running of scripts upon client connect/disconnect
script-security 2

########## END SERVER CONF ##########

########## TUN & CLIENT CONF ##########
dev tun0
server 10.11.0.0 255.255.0.0

push "route 10.0.0.0 255.255.0.0"
push "route 10.10.0.0 255.255.0.0"
push "route 10.10.255.254 255.255.255.255"

client-config-dir /etc/openvpn/ccd

# Script to run upon client connect and disconnect
#up "/etc/openvpn/etsctf_client_up.sh"
#client-disconnect "/etc/openvpn/etsctf_client_down.sh"

########## END TUN&CLIENT CONF ######