summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--content/posts/openbsd-vpn-gateway/index.org109
1 files changed, 56 insertions, 53 deletions
diff --git a/content/posts/openbsd-vpn-gateway/index.org b/content/posts/openbsd-vpn-gateway/index.org
index 61d54ee..2f6f31e 100644
--- a/content/posts/openbsd-vpn-gateway/index.org
+++ b/content/posts/openbsd-vpn-gateway/index.org
@@ -8,64 +8,67 @@
#+SLUG:
#+SUMMARY:
-Say you have an account with a VPN provider. Maybe there are a limit
-to how many connections you can have with one account, and you want to
-put more machines than you have connections on the account. Or maybe
-you want to put a large number of machines of the connection,
-including maybe FreeBSD Jails, LXC containers, or VMs, and you don't
-want to download the VPN profiles, sign in and configure them all
-individually.
-
-The solution I came up with to this problem is to setup a VPN gateway
-on my network using [[https://www.openbsd.org/faq/pf/][OpenBSD]]. Any device that sets that machine as it's
-gateway will automatically get its traffic tunneled through the VPN
-connection. It's also setup such that if the VPN connection ever drops
-or gets killed for any reason, the traffic will stop and won't be able
-to reach the internet. Thanks to this I don't have to worry about the
-traffic ever leaking out through my residential gateway should OpenVPN
-decide to close the connection. Sort of like a "kill switch", as some
-companies market it.
-
-The process for this is actually simple enough, thanks to OpenBSD's
-firewall, PF.
-
-To replicate my setup you'll need a dedicated machine running
-OpenBSD. You'll have to choose an appropriate host, taking into
-consideration how much traffic you plan to put through it, the speed
-of you VPN connection, and the speed of your home internet
-connection. Anything from a virtual machine or a low power single
-board PC will do in most cases, as home internet connections generally
-aren't the fastest. If your internet connection is fast enough though,
-you may consider [[https://blog.lambda.cx/posts/installing-openbsd-on-pcengines/][installing OpenBSD]] on a [[https://blog.lambda.cx/posts/pcengines-comparison/][PC Engines APU2]], as they're
-affordable, have gigabit Ethernet, and great OpenBSD driver support.
-
-I highly recommend you check out the man pages for the firewall
-configuration file format [[https://man.openbsd.org/man5/pf.conf.5][=pf.conf(5)=]], and the pf control command
-[[https://man.openbsd.org/man8/pfctl.8][=pfctl(8)=]] if you plan on setting something like this up. They're all
-very well written and explain a lot of what I'm doing in very clear
-detail. You should also read the excellent [[https://www.openbsd.org/faq/pf/][PF FAQ]] from the OpenBSD
-website, which covers many more PF configuration examples.
-
-The first thing we'll have to do is install OpenBSD. In my case I
-created a virtual machine on a server in my house running [[https://www.proxmox.com/en/][Proxmox]]. In
-my case, the machine only has 1 vCPU and 512 MB RAM, which is more
-than enough in my case, but you should choose the best machine for
-your situation.
-
-I won't be covering installing OpenBSD here, although it's extremely
-simple and straight forward. You can pick up the disk =.iso= image or
-USB =.fs= image from the [[https://www.openbsd.org/faq/faq4.html#Download][download]] page on OpenBSD website. If this is
-your first time installing OpenBSD, you should check out the
-[[https://www.openbsd.org/faq/faq4.html#Download][installation guide]], which goes over the process in detail.
-
-In this post the machine will have a single network interface called
-=vio0= with a desired static IP of =192.168.0.11=, although the
-interface and IP in your case will be different.
+* The Problem
+ Say you have an account with a VPN provider. Maybe there are a limit
+ to how many connections you can have with one account, and you want to
+ put more machines than you have connections on the account. Or maybe
+ you want to put a large number of machines of the connection,
+ including maybe FreeBSD Jails, LXC containers, or VMs, and you don't
+ want to download the VPN profiles, sign in and configure them all
+ individually.
+
+* The Solution
+
+ The solution I came up with to this problem is to setup a VPN gateway
+ on my network using [[https://www.openbsd.org/faq/pf/][OpenBSD]]. Any device that sets that machine as it's
+ gateway will automatically get its traffic tunneled through the VPN
+ connection. It's also setup such that if the VPN connection ever drops
+ or gets killed for any reason, the traffic will stop and won't be able
+ to reach the internet. Thanks to this I don't have to worry about the
+ traffic ever leaking out through my residential gateway should OpenVPN
+ decide to close the connection. Sort of like a "kill switch", as some
+ companies market it.
+
+* Hardware
+
+ To replicate my setup you'll need a dedicated machine running
+ OpenBSD. You'll have to choose an appropriate host, taking into
+ consideration how much traffic you plan to put through it, the speed
+ of you VPN connection, and the speed of your home internet
+ connection. Anything from a virtual machine or a low power single
+ board PC will do in most cases, as home internet connections
+ generally aren't the fastest. If your internet connection is fast
+ enough though, you may consider [[https://blog.lambda.cx/posts/installing-openbsd-on-pcengines/][installing OpenBSD]] on a [[https://blog.lambda.cx/posts/pcengines-comparison/][PC Engines
+ APU2]], as they're affordable, have gigabit Ethernet, and great
+ OpenBSD driver support. In my case I created a virtual machine on a
+ server in my house running [[https://www.proxmox.com/en/][Proxmox]]. In my case, the machine only has
+ 1 vCPU and 512 MB RAM, which is more than enough for my needs.
+
+* Documentation
+
+ I highly recommend you check out the man pages for the firewall
+ configuration file format [[https://man.openbsd.org/man5/pf.conf.5][=pf.conf(5)=]], and the pf control command
+[[https://man.openbsd.org/man8/pfctl.8][ =pfctl(8)=]] if you plan on setting something like this up. They're all
+ very well written and explain a lot of what I'm doing in very clear
+ detail. You should also read the excellent [[https://www.openbsd.org/faq/pf/][PF FAQ]] from the OpenBSD
+ website, which covers many more PF configuration examples.
+
+* Install OpenBSD
+
+ I won't be covering installing OpenBSD here, although it's extremely
+ simple and straight forward. You can pick up the disk =.iso= image or
+ USB =.fs= image from the [[https://www.openbsd.org/faq/faq4.html#Download][download]] page on OpenBSD website. If this is
+ your first time installing OpenBSD, you should check out the
+[[https://www.openbsd.org/faq/faq4.html#Download][ installation guide]], which goes over the process in detail.
* Configuring a static IP
The most important thing is to set a static IP, so it can be set as
the gateway for client machines. We'll set this first.
+ In this post the machine will have a single network interface called
+ =vio0= with a desired static IP of =192.168.0.11=, although the
+ interface and IP in your case will be differ.
+
Setting a static IP in OpenBSD couldn't be simpler. For each interface
on the machine, you can create a file with the name
=/etc/hostname.<if>=, where =<if>= is the name of the interface. Since
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-30 07:04:23 +0000