How to Install OpenVPN Server and Client on FreeBSD 12.0

OpenVPN is an open-source application that allows you to create a secure private network over the public internet. OpenVPN implements a virtual private network (VPN) to create a secure connection. OpenVPN Uses the OpenSSL library to provide the encryption and it provides several authentication mechanisms, such as certificate-based, pre-shared keys, and username/password authentication.

In this tutorial, we will show you how to step-by-step install and configure OpenVPN on FreeBSD 12.0. We will create the VPN server with the FreeBSD system and implement the certificate-based OpenVPN authentication.

Prerequisite

For this guide, you will need the latest FreeBSD 12.0 with the minimal 512 MB of RAM and 1 CPUs. And you will need the root privileges and the pf firewall.

What we will do:

  • Install OpenVPN on FreeBSD 12.0
  • Setup Variables for Certificates
  • Generate Certificates
  • Configure OpenVPN
  • Setup PF Firewall
  • Enable Port-Forwarding on FreeBSD
  • Testing

Step 1 - Install OpenVPN

Firstly, we will update the binary packages repository and install the OpenVPN packages to the FreeBSD system using the pkg command below.

pkg update
pkg install openvpn

Once the installation is complete, add the OpenVPN service to the system boot and define the OpenVPN tunnel interface 'tun' using the sysrc command below.

sysrc openvpn_enable="YES"
sysrc openvpn_if="tun"

Now the OpenVPN package has been installed on the FreeBSD 12.0 system.

Step 2 - Setup Variables for Certificate

In this step, we're going to set up the 'easy-rsa' variables for generating OpenVPN certificates.

Create a new openvpn directory '/usr/local/etc/openvpn/' and copy the 'easy-rsa' directory into it.

mkdir -p /usr/local/etc/openvpn/
cp -R /usr/local/share/easy-rsa /usr/local/etc/openvpn/

Now goto the '/usr/local/etc/openvpn/easy-rsa/' directory and edit the 'vars' file using vim editor.

cd /usr/local/etc/openvpn/easy-rsa/
vim vars

Change details with your own and paste into it.

set_var EASYRSA                 "$PWD"
set_var EASYRSA_PKI             "$EASYRSA/pki"
set_var EASYRSA_DN              "cn_only"
set_var EASYRSA_REQ_COUNTRY     "DE"
set_var EASYRSA_REQ_PROVINCE    "Frankfurt"
set_var EASYRSA_REQ_CITY        "Frankfurt"
set_var EASYRSA_REQ_ORG         "hakase-labs CERTIFICATE AUTHORITY"
set_var EASYRSA_REQ_EMAIL       "[email protected]"
set_var EASYRSA_REQ_OU          "HAKASE-LABS EASY CA"
set_var EASYRSA_KEY_SIZE        2048
set_var EASYRSA_ALGO            rsa
set_var EASYRSA_CA_EXPIRE       7500
set_var EASYRSA_CERT_EXPIRE     365
set_var EASYRSA_NS_SUPPORT      "no"
set_var EASYRSA_NS_COMMENT      "HAKASE-LABS CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR         "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF        "$EASYRSA/openssl-1.0.cnf"
set_var EASYRSA_DIGEST          "sha256"

Save and close.

Now make the 'vars' file an executable.

chmod +x vars

And we're ready to generate VPN certificates.

Step 3 - Generate Certificates

In this step, we're going to generate some certificates for the OpenVPN server. We will generate a CA, client and server certificates, DH-PARAM, and the CRL (Certificate Revocation List) certificate.

Go to the '/usr/local/etc/openvpn/easy-rsa/' directory and initialize the Public Key Infrastructure (PKI) directory using the 'easyrsa.real' command as below.

cd /usr/local/etc/openvpn/easy-rsa/
./easyrsa.real init-pki

- Generate CA

Now generate the CA certificate and key.

./easyrsa.real build-ca

And you will be asked for the password of the CA key. Type your password and the CA certificate and key has been generated.

Next, we will generate and sign the server certificate and key using our new CA.

- Generate and Sign Server Certificate

Generate the VPN server certificate and key using the following command.

./easyrsa.real gen-req openvpn-bsd nopass

After that, sign the server certificate using the CA key.

./easyrsa.real sign-req server openvpn-bsd

Type the passphrase for the CA key and the server certificate and key has been created.

Verify the server certificate and keys using the following command.

openssl verify -CAfile pki/ca.crt pki/issued/openvpn-bsd.crt

And make sure you get no error.

- Generate and Sign Client Certificate

After generating the certificate for the server, we will generate a new certificate for the client and sign it with the CA key.

Generate new certificate and key 'client01' using the following command.

./easyrsa.real gen-req client01 nopass

Then sign the certificate with the CA key.

./easyrsa.real sign-req client client01

Type the passphrase for the CA key and the client certificate and key has been created.

Verify the client certificate and key using the openssl command as below.

openssl verify -CAfile pki/ca.crt pki/issued/client01.crt

And you will get the result as below.

The client certificate and key have been generated without any error.

- Generate DH-PARAM and CRL Certificate

The DH-PARAM certificated is needed for additional security. And the CRL (Certificate Revocation List) will be used to list all client certificate that you want to remove from accessing the VPN server.

Generate a new CRL and DH-PARAM certificate using the following command.

./easyrsa.real gen-crl
./easyrsa.real gen-dh

Once it's complete, all basic certificates that needed for our VPN server has been generated.

- Copy all Certificates

Next, we need to copy all certificates to the OpenVPN directory. Create a new directory 'server' and 'client' inside the OpenVPN directory.

mkdir -p /usr/local/etc/openvpn/{server,client}

Copy the CA certificate, server certificate and key to the 'server' directory.

cp pki/ca.crt /usr/local/etc/openvpn/server/
cp pki/issued/openvpn-bsd.crt /usr/local/etc/openvpn/server/
cp pki/private/openvpn-bsd.key /usr/local/etc/openvpn/server/

Copy the CA certificate, client01 certificate and key to the 'client' directory.

cp pki/ca.crt /usr/local/etc/openvpn/client/
cp pki/issued/client01.crt /usr/local/etc/openvpn/client/
cp pki/private/client01.key /usr/local/etc/openvpn/client/

Copy the DH-PARAM and CRL certificates to the 'server' directory.

cp pki/dh.pem /usr/local/etc/openvpn/server/
cp pki/crl.pem /usr/local/etc/openvpn/server/

And now we're ready to configure the OpenVPN server.

Step 4 - Configure OpenVPN

Go to the '/usr/local/etc/openvpn' directory and create a new openvpn configuration called 'openvpn.conf' using editor.

cd /usr/local/etc/openvpn/
vim openvpn.conf

Change the configuration as you need and paste into it.

# OpenVPN Port, Protocol, and the Tun
port 1194
proto udp
dev tun

# OpenVPN Server Certificate - CA, server key and certificate
ca /usr/local/etc/openvpn/server/ca.crt
cert /usr/local/etc/openvpn/server/openvpn-bsd.crt
key /usr/local/etc/openvpn/server/openvpn-bsd.key

#DH and CRL key
dh /usr/local/etc/openvpn/server/dh.pem
crl-verify /usr/local/etc/openvpn/server/crl.pem

# Network Configuration - Internal network
# Redirect all Connection through OpenVPN Server
server 10.5.5.0 255.255.255.0
push "redirect-gateway def1"

# Using the DNS from https://dns.watch
push "dhcp-option DNS 84.200.69.80"
push "dhcp-option DNS 84.200.70.40"

#Enable multiple clients to connect with the same certificate key
duplicate-cn

# TLS Security
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache

# Other Configuration
keepalive 20 60
explicit-exit-notify 1
persist-key
persist-tun
comp-lzo yes
daemon
user nobody
group nobody

# OpenVPN Log
log-append /var/log/openvpn.log
verb 3

Save and close.

Now start the OpenVPN service and check it's status.

service openvpn start
service openvpn status

You will get the OpenVPN service is up and running on PID '14490'.

Check the OpenVPN port using the sockstat command below.

sockstat -l4

And you will get the result as below.

The OpenVPN service is running on default UDP port '1194'.

Step 5 - Setup pf Firewall

In this step, we're going to set up the pf firewall for the VPN server. We will create the nat rule for the OpenVPN interface 'tun0' and allows all connection to be redirected to the external network interface 'vtnet0'.

Before going any further, make sure the pf firewall is configured on the system. Or you can use the link below to configure it.

How to Setup pf Firewall on FreeBSD 12.0

Now go to the '/usr/local/etc' directory and edit the pf configuration file 'pf.conf' using vim editor.

cd /usr/local/etc/
vim pf.conf

Define the OpenVPN interface and local IP address.

# vpn interface
vpn_if="tun0"
vpn_net = "10.5.5.0/24"

Reassemble all fragmented packets on the external interface before filtering them.

# reassemble all fragmented packets before filtering them
scrub in on $ext_if all fragment reassemble

Enable the nat from the OpenVPN IP address to the external interface.

# route traffic from VPN interface out to the internet
nat on ! $vpn_if from $vpn_net to any -> $ext_ip

Now pass all connections to the UDP protocol on the OpenVPN port '1194' and pass all connection on the OpenVPN interface 'tun0'.

# Allow Connection to VPN Server
pass in on $ext_if proto udp from any to ($ext_if) port 1194 keep state

# Pass all connection on the VPN Interface
pass in on $vpn_if from any to any

Save and close.

Now check the pf firewall configuration and make sure there is no error, then reload the pf rules.

service pf check
service pf reload

As a result, the pf firewall configuration has been completed.

You can check the pf firewall rules using the following command.

pfctl -sr
pfctl -sn

And you will be shown the result as below.

Step 6 - Setup and Enable Port Forwarding

In this step, we're going to enable the port forwarding on the FreeBSD system.

Edit the '/etc/sysctl.conf' file using vim editor.

vim /etc/sysctl.conf

Paste the following configuration.

net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1

Save and close.

Now check the sysctl config file using the following command.

sysctl -f /etc/sysctl.conf

Next, enable the FreeBSD system as a gateway by adding the configuration to the '/etc/rc.conf' using the following command.

sysrc gateway_enable="YES"

Then reboot the server.

reboot

Now the port forwarding on the FreeBSD system has been enabled.

Step 7 - Setup Client

In this step, we're going to create a new configuration '.ovpn' fro the client.

Go to the '/usr/local/etc/openvpn/client' directory and create a new configuration 'client01.ovpn'.

cd /usr/local/etc/openvpn/client/
vim client01.ovpn

Change the remote IP address and other details with your own and paste into it.

client
dev tun
proto udp

remote xxx.xxx.xxx.xxx 1194

ca ca.crt
cert client01.crt
key client01.key

cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

resolv-retry infinite
compress lzo
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3

Save and close.

Now download all certificates, key, and the configuration inside the '/usr/local/etc/openvpn/client' directory to your local computer.

Step 8 - Testing

In this step, we''re going to connect to the VPN server using the 'client01.ovpn' configuration from the local computer.

After downloading certificates and configuration, go to the download directory and connect to the openvpn server using the command as below.

openvpn --config client01.ovpn

Once the connection is complete, open new terminal tab and checks the 'tun0' interface.

ifconfig tun0

And you will get the internal IP address from the OpenVPN server.

Next, we will test to ping the OpenVPN server using its internal IP address.

ping -c3 10.5.5.1

And you will get an ICMP answer from the server.

After that, check the internet connection using the curl command below.

curl ipinfo.io

Now you will be shown the external IP address of the server.

As a result, the installation and configuration of OpenVPN server on FreeBSD 12.0 has been completed successfully.

Reference

Share this page:

0 Comment(s)