Welcome to our yet another guide on how install and configure OpenVPN server FreeBSD 12. We learnt how to install and setup OpenVPN Server on Fedora 29/CentOS 7 on our previous guide.
Install and Configure OpenVPN Server FreeBSD 12
To kick off with, you need to update your FreeBSD 12 package repository.
pkg update
Install OpenVPN and Easy-RSA packages
pkg install openvpn easy-rsa
Create a directory to store the server configuration files, the CA, server keys and certificate files.
mkdir -p /usr/local/etc/openvpn/easy-rsa
mkdir /usr/local/etc/openvpn/server
Copy the sample OpenVPN and Easy-RSA sample configuration files to the respective configuration directories created above.
cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn/server/
cp -r /usr/local/share/easy-rsa/* /usr/local/etc/openvpn/easy-rsa/
Generate the Local CA, Keys and Certificate files with EasyRSA
The certificate variables are set in the /usr/local/etc/openvpn/easy-rsa/vars file. In order to ease the generation of the certificate, edit this file, uncomment and adjust the certificate values as follows;
vim /usr/local/etc/openvpn/easy-rsa/vars
set_var EASYRSA_REQ_COUNTRY "KE" set_var EASYRSA_REQ_PROVINCE "Nairobi" set_var EASYRSA_REQ_CITY "Nairobi" set_var EASYRSA_REQ_ORG "Kifarunix" set_var EASYRSA_REQ_EMAIL "[email protected]" set_var EASYRSA_REQ_OU "Infrastructure" set_var EASYRSA_KEY_SIZE 2048 set_var EASYRSA_CA_EXPIRE 3650 set_var EASYRSA_CERT_EXPIRE 3650
Easy-RSA ships with certificate generation script called easyrsa.real. To generare the certificate files, navigate to /usr/local/etc/openvpn/easy-rsa/ directory and proceed as follows;
Initialize the PKI
cd /usr/local/etc/openvpn/easy-rsa
sh ./easyrsa.real init-pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /usr/local/etc/openvpn/easy-rsa/pki
Build the CA certificate by running the command below. Set the CN and encryption password when prompted.
sh ./easyrsa.real build-ca
Generate a key and certificate file for the server and client.
sh ./easyrsa.real build-server-full server nopass
sh ./easyrsa.real build-client-full client nopass
Generate Diffie-Hellman key file that can be used during the TLS handshake with connecting clients.
sh ./easyrsa.real gen-dhIn case you need to invalidate a previously signed certificate, generate a revocation certificate.
sh ./easyrsa.real gen-crl
Generate TLS/SSL pre-shared authentication key
openvpn --genkey --secret /usr/local/etc/openvpn/easy-rsa/pki/ta.key
Copy all the server keys and certificates from /usr/local/etc/openvpn/easy-rsa/pki/ to configuration directory created above.
cp -r /usr/local/etc/openvpn/easy-rsa/pki/{ca.crt,dh.pem,ta.key,issued,private} /usr/local/etc/openvpn/server/
Configure OpenVPN Server
Edit the server configuration file such that it looks the below without comments;
vim /usr/local/etc/openvpn/server/server.conf
port 1194 proto udp dev tun ca /usr/local/etc/openvpn/server/ca.crt cert /usr/local/etc/openvpn/server/issued/server.crt key /usr/local/etc/openvpn/server/private/server.key dh /usr/local/etc/openvpn/server/dh.pem topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220" keepalive 10 120 tls-auth ta.key 0 # This file is secret cipher AES-256-CBC comp-lzo user nobody group nobody persist-key persist-tun status /var/log/openvpn/openvpn-status.log log-append /var/log/openvpn/openvpn.log verb 3 explicit-exit-notify 1 auth sha512 remote-cert-tls client
Create the log directory;
mkdir /var/log/openvpn/
Configure Routing
Run the command below to configure IPv4 NAT routing. This enables the ipfw firewall which is needed for natd
cat << EOF >> /etc/rc.conf firewall_enable="YES" firewall_type="open" gateway_enable="YES" natd_enable="YES" natd_interface="em1" natd_flags="-dynamic -m" EOF
Reboot the server to effect the changes made above.
reboot
Start and set OpenVPN start on boot.
sysrc openvpn_enable=YES sysrc openvpn_configfile="/usr/local/etc/openvpn/server/server.conf"
service openvpn start
Verify that OpenVPN is running and listening on UDP port 1194.
sockstat -4 -l | grep 1194 nobody openvpn 2824 6 udp46 *:1194 *:*
Verify that the interface has been created.
ifconfig ... tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500 options=80000<LINKSTATE> inet6 fe80::a00:27ff:fe06:ec18%tun0 prefixlen 64 tentative scopeid 0x4 inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffff00 groups: tun nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> Opened by PID 2824
Configure the Client
Copy the CA , TLS/SSL auth key file and the client key and certificate file to the client.
/usr/local/etc/openvpn/server/ca.crt /usr/local/etc/openvpn/server/issued/client.crt /usr/local/etc/openvpn/server/private/client.key /usr/local/etc/openvpn/server/ta.key
Create the client configuration file
cat << EOF > client.ovpn client tls-client pull dev tun proto udp remote 192.168.43.12 1194 resolv-retry infinite nobind dhcp-option DNS 208.67.222.222 user nobody group nogroup persist-key persist-tun key-direction 1 tls-auth ta.key 1 comp-lzo verb 3 ca ca.crt cert client.crt key client.key auth SHA512 remote-cert-tls server EOF
To connect to VPN server from a Linux system, run the command below;
sudo openvpn client.ovpn
Magnificent!! That is all it takes to install and configure OpenVPN server FreeBSD 12. Thank you for reading.
Hello,
thanks for this perfect howto, i found one small mistake, under _Configure OpenVPN Server_ in the line _tls-auth ta.key 0 # This file is secret_ you also should write the full Path 😉
best regards René
Thanks for the feedback Rene.
Good Day Amos
Thanks for your brilliant work.
Will this config work on freebsd 12 inside an iocage jail.
I am moving away from linux and implementing my customer service platform on Freebsd only going forward.
Best Regards
Johan van Huyssteen
Hey Johan. This is sth haven’t tried out. Will try and update as soon as possible.
Wondering if you have a reference using pf instead of ipfw rulesets?
You can check here.
Great guide. Worked first time!!
Wondering about the android openvpn app. It doesn’t accept the script and there is no obvious place to put the certs etc.?
My apologies – worked it out. There are two difference OpenVPN apps. OpenVPN and OpenVPN for android. The latter allows you to import certificates.
Thanks again for your guide. 🙂
Thanks for the feedback Alek.
Update (maybe?) for FreeNAS (/freebsd?) 11.2/11.3 — the issued crt and key from “Generate a key and certificate file for the server and client.” are (now?) named nopass.crt and nopass.key, so those lines of the conf need to be updated. This was my openvpn server hierarchy:
[email protected] :/usr/local/etc/openvpn/server # tree
.
|– ca.crt
|– dh.pem
|– issued
| `– nopass.crt
|– private
| |– ca.key
| `– nopass.key
|– server.conf
`– ta.key
If running from a freenas jail, MAKE SURE TO enable the “allow_tun” parameter in the Jail’s “Custom Properties” config screen. You may need to restart your freenas server after setting this parameter.
Thanks for the great howto. Do you happen to have something about moinmoin wiki on 12.1?
tls-auth ta.key 0 is missing the full path to the ta.key file, so you have to change the line to tls-auth /usr/local/etc/openvpn/ta.key 0