Install and Configure OpenVPN Server FreeBSD 12

11
5075

Welcome to our yet another guide on how install and configure OpenVPN server FreeBSD 12. We learnt how to install and setup OpenVPN Server on Fedora 29/CentOS 7 on our previous guide.

Install and Configure OpenVPN Server FreeBSD 12

To kick off with, you need to update your FreeBSD 12 package repository.

pkg update

Install OpenVPN and Easy-RSA packages

pkg install openvpn easy-rsa

Create a directory to store the server configuration files, the CA, server keys and certificate files.

mkdir -p /usr/local/etc/openvpn/easy-rsa
mkdir /usr/local/etc/openvpn/server

Copy the sample OpenVPN and Easy-RSA sample configuration files to the respective configuration directories created above.

cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn/server/
cp -r /usr/local/share/easy-rsa/* /usr/local/etc/openvpn/easy-rsa/

Generate the Local CA, Keys and Certificate files with EasyRSA

The certificate variables are set in the /usr/local/etc/openvpn/easy-rsa/vars file. In order to ease the generation of the certificate, edit this file, uncomment and adjust the certificate values as follows;

vim /usr/local/etc/openvpn/easy-rsa/vars
set_var EASYRSA_REQ_COUNTRY	"KE"
set_var EASYRSA_REQ_PROVINCE	"Nairobi"
set_var EASYRSA_REQ_CITY	"Nairobi"
set_var EASYRSA_REQ_ORG		"Kifarunix"
set_var EASYRSA_REQ_EMAIL	"[email protected]"
set_var EASYRSA_REQ_OU		"Infrastructure"
set_var EASYRSA_KEY_SIZE	2048
set_var EASYRSA_CA_EXPIRE	3650
set_var EASYRSA_CERT_EXPIRE	3650

Easy-RSA ships with certificate generation script called easyrsa.real. To generare the certificate files, navigate to /usr/local/etc/openvpn/easy-rsa/ directory and proceed as follows;

Initialize the PKI

cd /usr/local/etc/openvpn/easy-rsa
sh ./easyrsa.real init-pki
Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /usr/local/etc/openvpn/easy-rsa/pki

Build the CA certificate by running the command below. Set the CN and encryption password when prompted.

sh ./easyrsa.real build-ca

Generate a key and certificate file for the server and client.

sh ./easyrsa.real build-server-full server nopass
sh ./easyrsa.real build-client-full client nopass

Generate Diffie-Hellman key file that can be used during the TLS handshake with connecting clients.

sh ./easyrsa.real gen-dh

In case you need to invalidate a previously signed certificate, generate a revocation certificate.

sh ./easyrsa.real gen-crl

Generate TLS/SSL pre-shared authentication key

openvpn --genkey --secret /usr/local/etc/openvpn/easy-rsa/pki/ta.key

Copy all the server keys and certificates from /usr/local/etc/openvpn/easy-rsa/pki/ to configuration directory created above.

cp -r /usr/local/etc/openvpn/easy-rsa/pki/{ca.crt,dh.pem,ta.key,issued,private} /usr/local/etc/openvpn/server/

Configure OpenVPN Server

Edit the server configuration file such that it looks the below without comments;

vim /usr/local/etc/openvpn/server/server.conf
port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/server/ca.crt
cert /usr/local/etc/openvpn/server/issued/server.crt
key /usr/local/etc/openvpn/server/private/server.key
dh /usr/local/etc/openvpn/server/dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append  /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
auth sha512
remote-cert-tls client

Create the log directory;

mkdir /var/log/openvpn/

Configure Routing

Run the command below to configure IPv4 NAT routing. This enables the ipfw firewall which is needed for natd

cat << EOF >> /etc/rc.conf
firewall_enable="YES"
firewall_type="open"
gateway_enable="YES"
natd_enable="YES"
natd_interface="em1"
natd_flags="-dynamic -m"
EOF

Reboot the server to effect the changes made above.

reboot

Start and set OpenVPN start on boot.

sysrc openvpn_enable=YES
sysrc openvpn_configfile="/usr/local/etc/openvpn/server/server.conf"
service openvpn start

Verify that OpenVPN is running and listening on UDP port 1194.

sockstat -4 -l | grep 1194
nobody   openvpn    2824  6  udp46  *:1194                *:*

Verify that the interface has been created.

ifconfig
...
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
	options=80000<LINKSTATE>
	inet6 fe80::a00:27ff:fe06:ec18%tun0 prefixlen 64 tentative scopeid 0x4 
	inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffff00 
	groups: tun 
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	Opened by PID 2824

Configure the Client

Copy the CA , TLS/SSL auth key file and the client key and certificate file to the client.

/usr/local/etc/openvpn/server/ca.crt
/usr/local/etc/openvpn/server/issued/client.crt
/usr/local/etc/openvpn/server/private/client.key
/usr/local/etc/openvpn/server/ta.key

Create the client configuration file

cat << EOF > client.ovpn
client
tls-client
pull
dev tun
proto udp
remote 192.168.43.12 1194
resolv-retry infinite
nobind
dhcp-option DNS 208.67.222.222
user nobody
group nogroup
persist-key
persist-tun
key-direction 1
tls-auth ta.key 1
comp-lzo
verb 3
ca ca.crt
cert client.crt
key client.key
auth SHA512
remote-cert-tls server
EOF

To connect to VPN server from a Linux system, run the command below;

sudo openvpn client.ovpn

Magnificent!! That is all it takes to install and configure OpenVPN server FreeBSD 12. Thank you for reading.

11 COMMENTS

  1. Hello,

    thanks for this perfect howto, i found one small mistake, under _Configure OpenVPN Server_ in the line _tls-auth ta.key 0 # This file is secret_ you also should write the full Path 😉

    best regards René

  2. Good Day Amos
    Thanks for your brilliant work.
    Will this config work on freebsd 12 inside an iocage jail.
    I am moving away from linux and implementing my customer service platform on Freebsd only going forward.
    Best Regards
    Johan van Huyssteen

  3. Great guide. Worked first time!!

    Wondering about the android openvpn app. It doesn’t accept the script and there is no obvious place to put the certs etc.?

  4. Update (maybe?) for FreeNAS (/freebsd?) 11.2/11.3 — the issued crt and key from “Generate a key and certificate file for the server and client.” are (now?) named nopass.crt and nopass.key, so those lines of the conf need to be updated. This was my openvpn server hierarchy:

    [email protected] :/usr/local/etc/openvpn/server # tree
    .
    |– ca.crt
    |– dh.pem
    |– issued
    | `– nopass.crt
    |– private
    | |– ca.key
    | `– nopass.key
    |– server.conf
    `– ta.key

  5. If running from a freenas jail, MAKE SURE TO enable the “allow_tun” parameter in the Jail’s “Custom Properties” config screen. You may need to restart your freenas server after setting this parameter.

LEAVE A REPLY

Please enter your comment!
Please enter your name here