Last edit by Philipp Speck September 23, 2020 07:19

How to install OpenVPN on FreeBSD 11

This quick guide describes how to install OpenVPN on FreeBSD 11.

OpenVPN Installation & Configuration

root@openvpn:/ # pkg install nano openvpn
root@openvpn:/ # mkdir -p /usr/local/etc/openvpn/
root@openvpn:/ # cp -R /usr/local/share/easy-rsa /usr/local/etc/openvpn/easy-rsa/
root@openvpn:/ # cd /usr/local/etc/openvpn/easy-rsa    
root@openvpn:/usr/local/etc/openvpn/easy-rsa # cp easyrsa.real easyrsa
root@openvpn:/usr/local/etc/openvpn/easy-rsa # chmod 755 easyrsa
root@openvpn:/usr/local/etc/openvpn/easy-rsa # nano vars
set_var EASYRSA_REQ_COUNTRY     "DE"
set_var EASYRSA_REQ_PROVINCE    "Baden-W├╝rttemberg"
set_var EASYRSA_REQ_CITY        "Heidelberg"
set_var EASYRSA_REQ_ORG         "Typomedia"
set_var EASYRSA_REQ_EMAIL       "info@typo.media"
set_var EASYRSA_REQ_OU          "Developemnt"

set_var EASYRSA_KEY_SIZE        2048
set_var EASYRSA_DIGEST          "sha256"
root@openvpn:/usr/local/etc/openvpn/easy-rsa # ./easyrsa init-pki
root@openvpn:/usr/local/etc/openvpn/easy-rsa # ./easyrsa build-ca nopass
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: Typomedia CA
root@openvpn:/usr/local/etc/openvpn/easy-rsa # ./easyrsa gen-req openvpn-server nopass
Common Name (eg: your user, host, or server name) [openvpn-server]: [return]
root@openvpn:/usr/local/etc/openvpn/easy-rsa # ./easyrsa sign-req server openvpn-server
Confirm request details: yes    
root@openvpn:/usr/local/etc/openvpn/easy-rsa # ./easyrsa gen-dh
root@openvpn:/usr/local/etc/openvpn/easy-rsa # openvpn --genkey --secret ta.key

Create Client Certs

root@openvpn:/usr/local/etc/openvpn/easy-rsa # ./easyrsa gen-req openvpn-client

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
........................+++
.+++
writing new private key to '/usr/local/etc/openvpn/easy-rsa/pki/private/openvpn-client.key.knHaBwiKyJ'
Enter PEM pass phrase: ****************
Verifying - Enter PEM pass phrase: ****************
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [openvpn-client]: [return]

root@openvpn:/usr/local/etc/openvpn/easy-rsa # ./easyrsa sign-req client openvpn-client

  Confirm request details: yes

OpenVPN Server Configuration

root@openvpn:/usr/local/etc/openvpn # nano /usr/local/etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/pki/ca.crt
cert /usr/local/etc/openvpn/pki/issued/openvpn-server.crt
key /usr/local/etc/openvpn/pki/private/openvpn-server.key
dh /usr/local/etc/openvpn/pki/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /usr/local/etc/openvpn/ipp.txt
#replace 192.168.2.0 with your local net
push "route 192.168.2.0 255.255.255.0"
duplicate-cn
keepalive 10 60
tls-auth /usr/local/etc/openvpn/easy-rsa/ta.key 0
cipher AES-256-CBC
max-clients 20
persist-key
persist-tun
comp-lzo
status /var/log/openvpn-status.log
verb 3
explicit-exit-notify 1
root@openvpn:/ # nano /usr/local/etc/ipfw.rules
#!/bin/sh
EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}

TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0
root@openvpn:/usr/local/etc/openvpn # nano /etc/rc.conf
openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/usr/local/etc/openvpn/server.conf"
openvpn_dir="/usr/local/etc/openvpn/"
cloned_interfaces="tun"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"

Now restart the machine or the Jail!

Check the Firewall

root@openvpn:/ # ipfw list
00100 nat 1 ip from 10.8.0.0/24 to any out via epair3b
00200 nat 1 ip from any to any in via epair3b
65535 allow ip from any to any

Check the OpenVPN Daemon

root@openvpn:/ # sockstat -4 -l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
root     openvpn    49275 7  udp46  *:1194                *:*

Copy Files to OpenVPN Client

/usr/local/etc/openvpn/pki/ca.crt
/usr/local/etc/openvpn/easy-rsa/ta.key
/usr/local/etc/openvpn/pki/issued/openvpn-client.crt
/usr/local/etc/openvpn/pki/private/openvpn-client.key

Create client.ovpn

client
dev tun
proto udp
#replace vpn.domain.tld with your domain or public ip
remote vpn.domain.tld 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert openvpn-client.crt
key openvpn-client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3

Troubleshooting

openvpn --config /usr/local/etc/openvpn/server.conf

Install OpenVPN Client on Ubuntu

sudo apt install openvpn network-manager-openvpn network-manager-openvpn-gnome

Further Informations


The content on this page is licensed under Creative Commons Attribution 4.0 International license.