The first thing to do is decide whether to use a routed or bridged network. Unless you require broadcasting such as for IPX, routed is probably a better solution. Also you need to pick an IP range to be used. Select a range within 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 but avoid popular ranges such as 192.168.0.0/24 etc to avoid conflicts.
Copy /etc/csw/openvpn.conf.CSW to /etc/csw/openvpn.conf and create some symlinks.
# cd /etc/csw/openvpn /etc/csw/openvpn# cp openvpn.conf.CSW openvpn.conf /etc/csw/openvpn# ln -s easy-rsa/keys/dh1024.pem /etc/csw/openvpn# ln -s easy-rsa/keys/server.crt /etc/csw/openvpn# ln -s easy-rsa/keys/server.key /etc/csw/openvpn# ln -s easy-rsa/keys/ca.crt
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh1024.pem server 10.8.0.0 255.255.255.0
Set the listening port to 1194. The proto statement sets the protocol to TCP or UDP. Use the dev statement to specify the tun/tap driver usage. This should be used in combination with the correct server or server-bridge statement. Use tun if you wish to use a routed network and tap if you are wanting a bridged network. The ca, cert, and key statemnts point to the CA key, server cert, and server key respectively. It's usually best to change those to the full path to the file or the symlinks we created. The dh points to the dh parameter file we created earlier.
The server or server-bridge line designates the internal VPN subnet for OpenVPN to use. The server command only requires the subnet and netmask. The server-bridge command needs the IP address for the bridge adapter followed by the subnet mask and the first and last IP in the subnet that can be given out to clients.
If you are using ipfilter rules that could cause connectivity issues add the following to /etc/ipf/ipf.conf. This is being presented from a Xen instance, if using a physical interface replace xnf0 with the appropriate interface.
pass in quick on xnf0 proto udp from any to xnf0/32 port = 1194 keep state
Reload the ipfilter rules:
ipf -Fa -f /etc/ipf/ipf.conf
At this point OpenVPN is ready to go and can be started. The first time start openvpn in the foreground for debugging. Afterwards you can use the second command to start openvpn as a daemon.
# /opt/csw/sbin/openvpn /etc/csw/openvpn/openvpn.conf
# /etc/init.d/openvpn start
The client needs to be configured similarly to the server. The client also needs to receive the client certificate and key we created earlier along with the certificate authority certificate. The client configuration file needs to have the same tun/tap settings as the server along with the same protocol and compression settings.
Example client configuration:
client dev tun proto tcp remote vpn.server.hostname 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client1.crt key client1.key comp-lzo verb 3
This simple client configuration specifies tun (routing mode) over TCP. The remote statement is used to specity the openvpn server hostname or IP address and port. The resolv-retry line tells the openvpn client to infinitely retry to resolve the server hostname. Using nobind allows openvpn to pick a local port to use. The preserve-key and preserve-tun lines tell the client to attempt to preserve state across restarts. The ca, cert, and key lines point to the authentication keys for the connection. Finally comp-lzo enables the lzo encryption.