This acticle will go through the install and configuration to use FreeBSD as your OpenVPN server and how to create the client config files.
Install the OpenVPN Port
I use port upgrade so I’ll use that to install the ports. If you do not use portupgrade then you can install the port with what ever method works for you.
# pkg install openvpn
Create the directory for all the OpenVPN config files (the certificate store will also be places here):
# mkdir -p /usr/local/etc/openvpn
Copy the sample config files over to this directory.
# cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn/openvpn.conf # cp -r /usr/local/share/easy-rsa /usr/local/etc/openvpn/easy-rsa
Setup your Certificate Store.
Move ot the easy-rsa directory:
# cd /usr/local/etc/openvpn/easy-rsa
Inside this directory is the vars file. This file contains the variables that are used to create all the certificates that OpenVPN will use. Edit the vars file and update the following variables:
# vi vars
set_var EASYRSA_REQ_COUNTRY "CA" set_var EASYRSA_REQ_PROVINCE "<Province>" set_var EASYRSA_REQ_CITY "<Your City>" set_var EASYRSA_REQ_ORG "<An Org>" set_var EASYRSA_REQ_EMAIL "<Email>" set_var EASYRSA_REQ_OU "<hostnamefor server>"
set_var EASYRSA_KEY_SIZE 2048 set_var EASYRSA_CA_EXPIRE 3650 set_var EASYRSA_CERT_EXPIRE 3650
Create the Certificate Store.
# sh # ./easyrsa.real init-pki
# ./easyrsa.real build-ca
Generate the Server Certificate
# ./easyrsa.real build-server-full openvpn-server nopass
# mkdir -p /usr/local/etc/openvpn/keys # cd /usr/local/etc/openvpn # cp -p easy-rsa/pki/ca.crt keys/ca.crt # cp -p easy-rsa/pki/dh.pem keys/dh.pem # cp -p easy-rsa/pki/issued/openvpn-server.crt keys/openvpn-server.crt # cp -p easy-rsa/pki/private/openvpn-server.key keys/openvpn-server.key
Chages to the Server Config
Open up the OpenVPN server config file with your favorite editor (I like vi).
# vi /usr/local/etc/openvpn/openvpn.conf
Scroll down and look for the lines that specify the certificate locations. Change then to look like the following:
ca /usr/local/etc/openvpn/keys/ca.crt cert /usr/local/etc/openvpn/keys/openvpn-server.crt key /usr/local/etc/openvpn/keys/openvpn-server.key dh /usr/local/etc/openvpn/keys/dh.pem
Make sure the user and group lines are uncommented and set to nobody.
user nobody group nobody
You can change the port in the file if you want to set up the cloent on a non-standard port. (1194 is the default)
Setup the subnet and IP address that the tunnel will use. I use 192.168.13.192 – 192.168.13.255 for my tunnel range. The address that my server will have (for it’s OpenVPN connection) is 192.168.13.193. Here is the server lines that I use:
server 192.168.13.192 255.255.255.192
I have a number of local networks. I want my tunnel setup so that ONLY my local networks get tunneled over OpenVPN. You can specify just the network that get tunneled and the clients will only tunnel those addresses (as apposed to everything going through the tunnel). To do this, you need to setup a push lines for each network that you want tunneled. NOTE: If you want to tunnel all the traffic, look at the “redirect-gateway” line.
On my system, I have three routes that I force as follows:
push "route 10.0.0.0 255.0.0.0" push "route 172.16.0.0 255.240.0.0" push "route 192.168.0.0 255.255.0.0"
You can also force the clients to use your DNS. This is helpful if you have an internal DNS server or run split DNS. Here I force the clients DNS to point at mine.
push "dhcp-option DNS 172.31.15.250" push "dhcp-option DNS 10.0.4.231"
That should be the main configs changes. Look over the rest of the notes in the config file and then save your changes.
Generate the ta.key file need to improve security.
# cd /usr/local/etc/openvpn/keys # openvpn --genkey secret ta.key
Enable the OpenVPN Server
NOTE: This section is specific to FreeBSD. You need to enable the OpenVPN server in the /etc/rc.conf file so that it will start on bootup. You can add these manually or with the following commands:
# sysrc openvpn_enable="YES" # sysrc openvpn_if="tun"
Start the service.
# service openvpn start
Create a Client Certificate.
# ./easyrsa.real build-client full MyiPhone