OpenBSD Journal

OpenVPN 2.0 on OpenBSD HOWTO

Contributed by grey on from the because sometimes you don't want to use ipsec dept.

Thanks to Jonathan for the following submission, which may interest some of our readers:

I've written a HOWTO for OpenVPN 2.0 on OpenBSD. It covers configuration in bridging and in routing mode. It is available here:

http://blog.innerewut.de/articles/2005/07/04/openvpn-2-0-on-openbsd

(Comments are closed)


Comments
  1. By m0th (212.202.23.198) tom@replic8.net on

    the URL is invalid due to expired session id. when do you guys learn to remove session ids from URLs pasted in stories? when will undeadly.org use some more advanced session management?

    thanks.

    Comments
    1. By m0th (212.202.23.198) tom@replic8.net on

      well, clicking on the URL included in the story itself everything is fine,
      sorry.

      BUT the rss-feed (which actually informed me of this new article) includes a expired session id to this story. why is that?

      thanks, again.

  2. By mirabile (213.196.252.16) on http://mirbsd.de/

    Did you ever experience any crashes with OpenVPN?

    I have tested an OpenVPN tunnel from behind an ADSL router at home
    to a dedicated server at a hoster. In Germany, most ADSL
    providers disconnect the line every 12 or 24 hours, with an
    instant re-dial-in possible (you get a different IPv4 tho).

    Related to that, I got crashes - usually the VPN server crashed
    first, the client later. I nailed that down to the tun(4)
    device [used in tun or tap (link2) mode, no matter] by replacing
    OpenVPN with netcat and ksh.

    I also got more crashes with IPv6 (on the interior of the tunnel)
    than without.

    Admittedly, I did not do these tests with pristine OpenBSD, but
    a friend did. He got the same crashes as I did with OpenVPN but
    didn't do much further testing. He even got _some_ (but not as
    many) crashes with IPsec.

    Maybe there's something in the routing code broken?

    We used host routes like Kili wrote once to mark the route to
    the "outer side" gateway, like this:

    route -n add -inet -host 192.168.0.221 -interface -link vr0:
    route -n add -inet default 192.168.0.221 -mtu 1454


    I tested disconnecting by manually killing the ppp(8) on the
    ADSL router then restarting it (ifconfig down/up for pppoe(4) is
    the equivalent). If people can reproduce that, I would be
    glad if they can sort that out with the OpenBSD developers;
    my kernel coding experience is basically nonexistent I admit.

    Comments
    1. By Hans Hoexer (131.188.33.51) on

      > Admittedly, I did not do these tests with pristine OpenBSD, but
      > a friend did. He got the same crashes as I did with OpenVPN but
      > didn't do much further testing. He even got _some_ (but not as
      > many) crashes with IPsec.
      
      Could your friend be so kind and read http://www.openbsd.org/report.html and then provide a proper report for those IPsec crashes? Thanks.

      Comments
      1. By Nikademus (85.201.21.164) nikademus@llorien.org on http://www.llorien.org

        I am sorry, but OpenVPN is _not_ part of the normal OpenBSD installation, it's rather installed by source/ports/packages. It is also _not_ based on IPsec, so writing a report to OpenBSD team will just be another useless move. Reporting to OpenVPN developpers would be a better idea.

        Comments
        1. By Anonymous Coward (69.197.92.181) on

          Maybe you should try reading first, and then commenting after that. He says his friend experienced crashes with ipsec as well.

          I have run openbsd ipsec VPNs over horrible links that go down for minutes at a time several times a day with no problems though, so I wonder if maybe he just had bad hardware.

          Comments
          1. By phessler (208.201.244.164) on

            considering there was no information about the crashes, we don't know if they were caused by the same thing. not to mention the fact that the OPs openbsd is *not* stock. the request to report them to the openvpn people is appropriate.

            Comments
            1. By Anonymous Coward (69.197.92.181) on

              Again, read first, then comment. He clearly said his friend was the one getting ipsec crashes, and that it was stock openbsd. Yes, those should be reported to openbsd, and not openvpn.

            2. By mirabile (213.196.249.165) on http://mirbsd.de/

              Sure, mine were not on stock OpenBSD, that's why I didn't report.
              The crashes were total freezes; since I was in X11 at that time
              I don't know if there was a ddb. The server was remote, and I did
              not see anything in the syslog after it came back up (probably due
              to the crash). I did not, at that time, have means to gather
              console output.

              But I could (in my tests) reproduce them with netcat instead of
              OpenVPN, that's why they were definitively not OpenVPN's fault.

              I did, however, get some strange routing messages, that's why I
              suppose there is (or was?) a problem with routing.

              I don't have boxen to throw OpenBSD on for testing, though. (In
              fact, I even can't afford a new coffee machine at the moment, and
              my old one is broken... but that's off-topic.)

              That's why it seemed natural for me to post it here, where
              maybe others who have seen similar things can step in. If
              I wanted to submit a bug report I had done different things.

              I also recall wbx telling me about some crashes when he tested
              OpenVPN first, but I don't want to put words in his mouth and
              I don't remember the exact problems.

        2. By Hans Hoexer (131.188.28.69) on

          As one maintainer of OpenBSDs IPsec implementation I'd like to know about problems regarding IPsec.

    2. By Jonathan (85.178.209.255) on http://blog.innerewut.de

      I never had any problems with crashes but I use OpenVPN only for my WLAN and not over DSL/ppp. Although, I use a PowerBook with OS X as a client and when it goes to sleep that's like a disconnect. When the machine is up again everything works just fine, the tunnel is reestablished after some seconds. The OS X client is Tunnelblick. http://tunnelblick.net/

    3. By phessler (64.173.147.27) on

      I have had zero problems with openvpn. Unix, OSX and Windows clients. Over WAN, DSL, Cable, and other connections (some with bad loss, some with zero loss). To be fair though I have not attempted any IPv6 over it, mostly because we do not have IPv6 setup inside the network openvpn connects to.

      Comments
      1. By amirm (208.34.41.180) on

        I have encountered quite a few especially with PF and some issues with the tunX if. I will report them soon to OpenVPN people when i get the exact reproduction method written down. Mine have to do with bridging mode.

  3. By Charles Hill (216.229.170.65) on

    The entire site seems to be gone.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]