From 10109a0188606cd14c92b5f07f1891b94166df5c Mon Sep 17 00:00:00 2001
From: Dante Catalfamo
Date: Tue, 21 Jul 2020 22:43:21 -0400
Subject: gateway: chmod files and rcctl business

---
 content/posts/openbsd-vpn-gateway/index.org | 34 +++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

(limited to 'content/posts/openbsd-vpn-gateway/index.org')

diff --git a/content/posts/openbsd-vpn-gateway/index.org b/content/posts/openbsd-vpn-gateway/index.org
index f45a3d7..585a197 100644
--- a/content/posts/openbsd-vpn-gateway/index.org
+++ b/content/posts/openbsd-vpn-gateway/index.org
@@ -155,3 +155,37 @@
    #+BEGIN_SRC
    auth-user-pass vpnpass.txt
    #+END_SRC
+
+   Now we change their permissions to make sure they cannot be read or
+   modified by other users on the system.
+
+   #+BEGIN_SRC shell
+   doas chmod 600 profile.ovpn vpnpasswd.txt
+   #+END_SRC
+
+** rcctl
+
+   We can now set the OpenVPN daemon to launch at boot with our
+   modified profile using =rcctl=. =rcctl= is a tool that comes with
+   OpenBSD which modifies =/etc/rc.conf.local= on your behalf to
+   ensure it's done properly. The use of =rcctl= is not strictly
+   required, but highly recommended.
+
+
+   #+BEGIN_SRC shell
+   doas rcctl set openvpn flags --config /root/profile.ovpn
+   doas rcctl enable openvpn
+   doas rcctl start openvpn
+   #+END_SRC
+
+   - =rcctl set openvpn flags --config /root/profile.ovpn= tells
+     =rcctl= to set the launch flags to the =openvpn= daemon to
+     =--config /root/profile.ovpn=. This is an OpenVPN option that
+     tells it to load its config from =/root/profile.ovpn=.
+
+   - =rcctl enable openvpn=, enables the daemon at boot.
+
+   - =rcctl start openvpn= starts the =openvpn= daemon.
+
+   If things are configured correctly, you should now see a =tun=
+   device in your =ifconfig=.
-- 
cgit v1.2.3