gateway: chmod files and rcctl business

1 files changed, 34 insertions, 0 deletions

diff --git a/content/posts/openbsd-vpn-gateway/index.org b/content/posts/openbsd-vpn-gateway/index.org
index f45a3d7..585a197 100644
--- a/content/posts/openbsd-vpn-gateway/index.org
+++ b/content/posts/openbsd-vpn-gateway/index.org
@@ -155,3 +155,37 @@
    #+BEGIN_SRC
    auth-user-pass vpnpass.txt
    #+END_SRC
+
+   Now we change their permissions to make sure they cannot be read or
+   modified by other users on the system.
+
+   #+BEGIN_SRC shell
+   doas chmod 600 profile.ovpn vpnpasswd.txt
+   #+END_SRC
+
+** rcctl
+
+   We can now set the OpenVPN daemon to launch at boot with our
+   modified profile using =rcctl=. =rcctl= is a tool that comes with
+   OpenBSD which modifies =/etc/rc.conf.local= on your behalf to
+   ensure it's done properly. The use of =rcctl= is not strictly
+   required, but highly recommended.
+
+
+   #+BEGIN_SRC shell
+   doas rcctl set openvpn flags --config /root/profile.ovpn
+   doas rcctl enable openvpn
+   doas rcctl start openvpn
+   #+END_SRC
+
+   - =rcctl set openvpn flags --config /root/profile.ovpn= tells
+     =rcctl= to set the launch flags to the =openvpn= daemon to
+     =--config /root/profile.ovpn=. This is an OpenVPN option that
+     tells it to load its config from =/root/profile.ovpn=.
+
+   - =rcctl enable openvpn=, enables the daemon at boot.
+
+   - =rcctl start openvpn= starts the =openvpn= daemon.
+
+   If things are configured correctly, you should now see a =tun=
+   device in your =ifconfig=.