OpenVPN: Connect your LANs over the Internet

Prepare OpenVPN

by ross at 14:33:28 on December 31, 2012

Install

On both the server and client:

# cd /usr/ports/security/openvpn
# make install clean
# mkdir /usr/local/etc/openvpn

Open UDP port 1194 in the server's firewall. Allow trafic on tun/tap/bridge interfaces, for example, if you use pf add to its config:

set skip on lo
set skip on tun
set skip on tap
set skip on bridge

Don't forget to enable IP forwarding on both the server and client! Run:

# sysctl net.inet.ip.forwarding=1

Add to /etc/rc.conf to enable it at boot-time:

gateway_enable="YES"

VPN type

OpenVPN supports two very different means for interconnecting networks: routing and bridging.

Bridging advantages

  • Broadcasts traverse the VPN — this allows software that depends on LAN broadcasts such as Windows NetBIOS file sharing and network neighborhood browsing to work.
  • No route statements to configure.
  • Works with any protocol that can function over ethernet, including IPv4, IPv6, Netware IPX, AppleTalk, etc.
  • Relatively easy-to-configure solution for road warriors.

Bridging disadvantages

  • Less efficient than routing, and does not scale well.

Routing advantages

  • Efficiency and scalability.
  • Allows better tuning of MTU for efficiency.

Routing disadvantages

  • Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work.
  • Routes must be set up linking each subnet.
  • Software that depends on broadcasts will not "see" machines on the other side of the VPN.
  • Works only with IPv4 in general, and IPv6 in cases where tun drivers on both ends of the connection support it explicitly.
Comments