Table of ContentsPrepare OpenVPN
Routed static setup
Bridged static setup
Routed PKI setup
Bridged PKI setup
On both the server and client:
# cd /usr/ports/security/openvpn # make install clean # mkdir /usr/local/etc/openvpn
Open UDP port 1194 in the server's firewall. Allow trafic on tun/tap/bridge interfaces, for example, if you use pf add to its config:
set skip on lo set skip on tun set skip on tap set skip on bridge
Don't forget to enable IP forwarding on both the server and client! Run:
# sysctl net.inet.ip.forwarding=1
Add to /etc/rc.conf to enable it at boot-time:
OpenVPN supports two very different means for interconnecting networks: routing and bridging.
- Broadcasts traverse the VPN — this allows software that depends on LAN broadcasts such as Windows NetBIOS file sharing and network neighborhood browsing to work.
- No route statements to configure.
- Works with any protocol that can function over ethernet, including IPv4, IPv6, Netware IPX, AppleTalk, etc.
- Relatively easy-to-configure solution for road warriors.
- Less efficient than routing, and does not scale well.
- Efficiency and scalability.
- Allows better tuning of MTU for efficiency.
- Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work.
- Routes must be set up linking each subnet.
- Software that depends on broadcasts will not "see" machines on the other side of the VPN.
- Works only with IPv4 in general, and IPv6 in cases where tun drivers on both ends of the connection support it explicitly.