Establish OpenVPN network based on system user name authentication in OpenBSD

Author: linyin (linyin.8800.org) is from Linyinblog. Implementation environment: # uname-aOpenBSDlinyin.8800.org4.3GENERIC.MP #0i386 #/usr/local/sbin/openvpn -- versionOpenVPN2.0.9i386-unknown-openbsd4 author: linyin (linyin.8800.org)
Source:Linyin blog.

Implementation environment:
# Uname-
OpenBSD linyin.8800.org 4.3 GENERIC. MP #0 i386

#/Usr/local/sbin/openvpn -- version
OpenVPN 2.0.9 i386-unknown-openbsd4.3 [SSL] [LZO] built on Nov 11 2008
Developed by James Yonan
Copyright (C) 2002-2005 OpenVPN Solutions LLC < Info@openvpn.net>

Required software installation:
Openvpn (pkg_add installation) bash (pkg_add installation) gmake (pkg_add installation) auth-passwd (auth-passwd.sourceforge.net)

Configure Openvpn:
Create OpenVPN Directory
# Mkdir/etc/openvpn
Copy the OpenVPN script to generate the key and certificate to/etc/openvpn.
# Cp? R/usr/local/share/examples/openvpn/easy- Rsa/Etc/openvpn/
Edit/etc/openvpn/easy-rsa/vars as follows:
Export KEY_COUNTRY = CN
Export KEY_PROVINCE = JS
Export KEY_CITY = Soochow
Export KEY_ORG = "Linyin-Lab"
Export KEY_EMAIL = "linyin@linyin.org"

Switch to bash shell and create a certificate:
# Bash

Apply vars configuration
Bash-3.2 # source vars
NOTE: when you run./clean-all, I will be doing a rm-rf on/etc/openvpn/easy-rsa/keys

Clear existing keys and certificates
Bash-3.2 #./clean-all

Create a CA
Bash-3.2 #./build-ca
Generating a 1024 bit RSA private key
. ++
........................................ .......................... ++
Writing new private key to ca. key
-----
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter., the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JS]:
Locality Name (eg, city) [Soochow]:
Organization Name (eg, company) [Linyin-Lab]:
Organizational Unit Name (eg, section) []: OpenVPN
Common Name (eg, your name or your servers hostname) []: CA
Email Address [ Linyin@linyin.org]:
The keys generated by ca. crt and ca. key. in the/etc/openvpn/easy-rsa/keys directory are in the/etc/openvpn/easy-rsa/keys directory.

Generate a server key
Bash-3.2 #./build-key-server
Generating a 1024 bit RSA private key
...
... ++
Writing new private key to server. key
-----
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter., the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JS]:
Locality Name (eg, city) [Soochow]:
Organization Name (eg, company) [Linyin-Lab]:
Organizational Unit Name (eg, section) []: OpenVPN
Common Name (eg, your name or your servers hostname) []: server
Email Address [ Linyin@linyin.org]:
Please enter the following extra attributes
To be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from/etc/openvpn/easy-rsa/openssl. cnf
Check that the request matches the signature
Signature OK
The Subjects Distinguished Name is as follows
CountryName: PRINTABLE: CN
StateOrProvinceName: PRINTABLE: JS
LocalityName: PRINTABLE: Soochow
OrganizationName: PRINTABLE: Linyin-Lab
OrganizationalUnitName: PRINTABLE: OpenVPN
CommonName: PRINTABLE: server
EmailAddress: IA5STRING: linyin@linyin.org
Certificate is to be certified until Dec 3 11:10:26 2017 GMT (3650 days)
Sign the certificate? [Y/n]: y
1 out of 1 certificate requests certified, commit? [Y/n] y
Write out database with 1 new entries
Data Base Updated
Sign the certificate? [Y/n]: y
1 out of 1 certificate requests certified, commit? [Y/n]: y

The server generates Diffie Hellman parameters and generates the dh1024.pem file in the/etc/openvpn/easy-rsa/keys directory.
Bash-3.2 #./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
........................................ ....................................... + ....................................... ......................................
............. + ....................... + .......................... + ....................................... ............................... ++ *

To prevent DoS attacks and UDP port flooding, generate an "HMAC firewall"
Bash-3.2 # openvpn -- genkey -- secret easy-rsa/ta. key

Configure the OpenVPN plug-in based on the system user name verification:
In Http://sourceforge.net/projects/auth-passwdDownload the auth-passwd file
Decompress the package to the plugin directory in the OpenVPN source code file.
Edit The Makefile file and change USE_SHADOW = 1 to USE_SHADOW = 0.
Using gmake compilation in the auth-passwd source code directory will generate the openvpn-auth-passwd.so file and copy it to the/etc/openvpn Directory

Create an openvpn User group:
Bash-3.2 # groupadd-ov-g 1000 openvpn
Note that if 1000 exists, use another number.

Create an OpenVPN Server configuration file:
Bash-3.2 # vi/etc/openvpn/server. conf
Port 1194
Proto tcp
Dev tun0
Ca/etc/openvpn/easy-rsa/keys/ca. crt
Cert/etc/openvpn/easy-rsa/keys/server. crt
Key/etc/openvpn/easy-rsa/keys/server. key
Dh/etc/openvpn/easy-rsa/keys/dh1024.pem
Server 10.8.0.0 255.255.255.0
Ifconfig-pool-persist ipp.txt
Push "redirect-gateway def1"
Plugin/etc/openvpn/openvpn-auth-passwd.so openvpn
Client-to-client
Client-cert-not-required
Keepalive 10 120
Tls-auth/etc/openvpn/easy-rsa/keys/ta. key 0
Comp-lzo
User nobody
Group nobody
Persist-key
Persist-tun
Status openvpn-status.log
Verb 3

Test the OpenVPN Server:
Bash-3.2 #/usr/local/sbin/openvpn -- config/etc/openvpn/server. conf -- cd/etc/openvpn &
If Initialization Sequence Completed is displayed, the server is successfully started.

Configure PF:
Remove # net. inet. ip. forwarding = 1 # Comment
Bash-3.2 # vi/etc/sysctl. conf
Add comfortable forwarding
Bash-3.2 # vi/etc/pf. conf. Note that my nic is em0. add:
Ext_if = "em0"
Int_if = "tun0"
Internal_net = "10.8.0.0/24"
Nat on $ ext_if from 10.8.0.0/24 to any-> $ ext_if
Pass quick on lo0 all

Configure the OpenVPN client:
Set/etc/openvpn/easy-rsa/keys/ca in the server. crt,/etc/openvpn/easy-rsa/keys/ta. key is saved locally, and the client file linyin is created. ovpn, content:
Client
Dev tun0
Proto tcp
Remote linyin.8800.org 1194
Resolv-retry infinite
Nobind
User nobody
Group nobody
Auth-user-pass
Persist-key
Persist-tun
Ca. crt
Tls-auth ta. key 1
Comp-lzo
Verb 3

Log on to the VPN server as a system User:
Bash-3.2 # vi/etc/group
Openvpn: *: 1000: linyin
In this way, I can use the linyin user in the system to remotely log on to the VPN server without a certificate. I only need to pass password verification.

If you do not want to use VPN as a remote gateway, you can comment out the push "redirect-gateway def1" in server. conf ".
In addition, you can try other verification methods:
Openvpn-auth-ldap: Http://code.google.com/p/openvpn-auth-ldap/
Openvpn_bsdauth:/usr/ports/net/openvpn_bsdauth/In OpenBSD ports/
Before compiling and installing openvpn-auth-ldap, you must install the gobjc package.


All the main steps have been set up and can be officially enabled now. the article is rough and cannot take care of all the key points and details. if you have any questions, please contact me. =)