How to Install OpenVPN Server and Client on FreeBSD 12.0
OpenVPN is an open-source application that allows you to create a secure private network over the public internet. OpenVPN implements a virtual private network (VPN) to create a secure connection. OpenVPN Uses the OpenSSL library to provide the encryption and it provides several authentication mechanisms, such as certificate-based, pre-shared keys, and username/password authentication.
In this tutorial, we will show you how to step-by-step install and configure OpenVPN on FreeBSD 12.0. We will create the VPN server with the FreeBSD system and implement the certificate-based OpenVPN authentication.
Prerequisite
For this guide, you will need the latest FreeBSD 12.0 with the minimal 512 MB of RAM and 1 CPUs. And you will need the root privileges and the pf firewall.
What we will do:
- Install OpenVPN on FreeBSD 12.0
- Setup Variables for Certificates
- Generate Certificates
- Configure OpenVPN
- Setup PF Firewall
- Enable Port-Forwarding on FreeBSD
- Testing
Step 1 - Install OpenVPN
Firstly, we will update the binary packages repository and install the OpenVPN packages to the FreeBSD system using the pkg command below.
pkg update
pkg install openvpn
Once the installation is complete, add the OpenVPN service to the system boot and define the OpenVPN tunnel interface 'tun' using the sysrc command below.
sysrc openvpn_enable="YES"
sysrc openvpn_if="tun"
Now the OpenVPN package has been installed on the FreeBSD 12.0 system.
Step 2 - Setup Variables for Certificate
In this step, we're going to set up the 'easy-rsa' variables for generating OpenVPN certificates.
Create a new openvpn directory '/usr/local/etc/openvpn/' and copy the 'easy-rsa' directory into it.
mkdir -p /usr/local/etc/openvpn/
cp -R /usr/local/share/easy-rsa /usr/local/etc/openvpn/
Now goto the '/usr/local/etc/openvpn/easy-rsa/' directory and edit the 'vars' file using vim editor.
cd /usr/local/etc/openvpn/easy-rsa/
vim vars
Change details with your own and paste into it.
set_var EASYRSA "$PWD"
set_var EASYRSA_PKI "$EASYRSA/pki"
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_REQ_COUNTRY "DE"
set_var EASYRSA_REQ_PROVINCE "Frankfurt"
set_var EASYRSA_REQ_CITY "Frankfurt"
set_var EASYRSA_REQ_ORG "hakase-labs CERTIFICATE AUTHORITY"
set_var EASYRSA_REQ_EMAIL "[email protected]"
set_var EASYRSA_REQ_OU "HAKASE-LABS EASY CA"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CA_EXPIRE 7500
set_var EASYRSA_CERT_EXPIRE 365
set_var EASYRSA_NS_SUPPORT "no"
set_var EASYRSA_NS_COMMENT "HAKASE-LABS CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf"
set_var EASYRSA_DIGEST "sha256"
Save and close.
Now make the 'vars' file an executable.
chmod +x vars
And we're ready to generate VPN certificates.
Step 3 - Generate Certificates
In this step, we're going to generate some certificates for the OpenVPN server. We will generate a CA, client and server certificates, DH-PARAM, and the CRL (Certificate Revocation List) certificate.
Go to the '/usr/local/etc/openvpn/easy-rsa/' directory and initialize the Public Key Infrastructure (PKI) directory using the 'easyrsa.real' command as below.
cd /usr/local/etc/openvpn/easy-rsa/
./easyrsa.real init-pki
- Generate CA
Now generate the CA certificate and key.
./easyrsa.real build-ca
And you will be asked for the password of the CA key. Type your password and the CA certificate and key has been generated.
Next, we will generate and sign the server certificate and key using our new CA.
- Generate and Sign Server Certificate
Generate the VPN server certificate and key using the following command.
./easyrsa.real gen-req openvpn-bsd nopass
After that, sign the server certificate using the CA key.
./easyrsa.real sign-req server openvpn-bsd
Type the passphrase for the CA key and the server certificate and key has been created.
Verify the server certificate and keys using the following command.
openssl verify -CAfile pki/ca.crt pki/issued/openvpn-bsd.crt
And make sure you get no error.
- Generate and Sign Client Certificate
After generating the certificate for the server, we will generate a new certificate for the client and sign it with the CA key.
Generate new certificate and key 'client01' using the following command.
./easyrsa.real gen-req client01 nopass
Then sign the certificate with the CA key.
./easyrsa.real sign-req client client01
Type the passphrase for the CA key and the client certificate and key has been created.
Verify the client certificate and key using the openssl command as below.
openssl verify -CAfile pki/ca.crt pki/issued/client01.crt
And you will get the result as below.
The client certificate and key have been generated without any error.
- Generate DH-PARAM and CRL Certificate
The DH-PARAM certificated is needed for additional security. And the CRL (Certificate Revocation List) will be used to list all client certificate that you want to remove from accessing the VPN server.
Generate a new CRL and DH-PARAM certificate using the following command.
./easyrsa.real gen-crl
./easyrsa.real gen-dh
Once it's complete, all basic certificates that needed for our VPN server has been generated.
- Copy all Certificates
Next, we need to copy all certificates to the OpenVPN directory. Create a new directory 'server' and 'client' inside the OpenVPN directory.
mkdir -p /usr/local/etc/openvpn/{server,client}
Copy the CA certificate, server certificate and key to the 'server' directory.
cp pki/ca.crt /usr/local/etc/openvpn/server/
cp pki/issued/openvpn-bsd.crt /usr/local/etc/openvpn/server/
cp pki/private/openvpn-bsd.key /usr/local/etc/openvpn/server/
Copy the CA certificate, client01 certificate and key to the 'client' directory.
cp pki/ca.crt /usr/local/etc/openvpn/client/
cp pki/issued/client01.crt /usr/local/etc/openvpn/client/
cp pki/private/client01.key /usr/local/etc/openvpn/client/
Copy the DH-PARAM and CRL certificates to the 'server' directory.
cp pki/dh.pem /usr/local/etc/openvpn/server/
cp pki/crl.pem /usr/local/etc/openvpn/server/
And now we're ready to configure the OpenVPN server.
Step 4 - Configure OpenVPN
Go to the '/usr/local/etc/openvpn' directory and create a new openvpn configuration called 'openvpn.conf' using editor.
cd /usr/local/etc/openvpn/
vim openvpn.conf
Change the configuration as you need and paste into it.
# OpenVPN Port, Protocol, and the Tun port 1194 proto udp dev tun # OpenVPN Server Certificate - CA, server key and certificate ca /usr/local/etc/openvpn/server/ca.crt cert /usr/local/etc/openvpn/server/openvpn-bsd.crt key /usr/local/etc/openvpn/server/openvpn-bsd.key #DH and CRL key dh /usr/local/etc/openvpn/server/dh.pem crl-verify /usr/local/etc/openvpn/server/crl.pem # Network Configuration - Internal network # Redirect all Connection through OpenVPN Server server 10.5.5.0 255.255.255.0 push "redirect-gateway def1" # Using the DNS from https://dns.watch push "dhcp-option DNS 84.200.69.80" push "dhcp-option DNS 84.200.70.40" #Enable multiple clients to connect with the same certificate key duplicate-cn # TLS Security cipher AES-256-CBC tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 auth SHA512 auth-nocache # Other Configuration keepalive 20 60 explicit-exit-notify 1 persist-key persist-tun comp-lzo yes daemon user nobody group nobody # OpenVPN Log log-append /var/log/openvpn.log verb 3
Save and close.
Now start the OpenVPN service and check it's status.
service openvpn start
service openvpn status
You will get the OpenVPN service is up and running on PID '14490'.
Check the OpenVPN port using the sockstat command below.
sockstat -l4
And you will get the result as below.
The OpenVPN service is running on default UDP port '1194'.
Step 5 - Setup pf Firewall
In this step, we're going to set up the pf firewall for the VPN server. We will create the nat rule for the OpenVPN interface 'tun0' and allows all connection to be redirected to the external network interface 'vtnet0'.
Before going any further, make sure the pf firewall is configured on the system. Or you can use the link below to configure it.
How to Setup pf Firewall on FreeBSD 12.0
Now go to the '/usr/local/etc' directory and edit the pf configuration file 'pf.conf' using vim editor.
cd /usr/local/etc/
vim pf.conf
Define the OpenVPN interface and local IP address.
# vpn interface
vpn_if="tun0"
vpn_net = "10.5.5.0/24"
Reassemble all fragmented packets on the external interface before filtering them.
# reassemble all fragmented packets before filtering them
scrub in on $ext_if all fragment reassemble
Enable the nat from the OpenVPN IP address to the external interface.
# route traffic from VPN interface out to the internet
nat on ! $vpn_if from $vpn_net to any -> $ext_ip
Now pass all connections to the UDP protocol on the OpenVPN port '1194' and pass all connection on the OpenVPN interface 'tun0'.
# Allow Connection to VPN Server
pass in on $ext_if proto udp from any to ($ext_if) port 1194 keep state
# Pass all connection on the VPN Interface
pass in on $vpn_if from any to any
Save and close.
Now check the pf firewall configuration and make sure there is no error, then reload the pf rules.
service pf check
service pf reload
As a result, the pf firewall configuration has been completed.
You can check the pf firewall rules using the following command.
pfctl -sr
pfctl -sn
And you will be shown the result as below.
Step 6 - Setup and Enable Port Forwarding
In this step, we're going to enable the port forwarding on the FreeBSD system.
Edit the '/etc/sysctl.conf' file using vim editor.
vim /etc/sysctl.conf
Paste the following configuration.
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
Save and close.
Now check the sysctl config file using the following command.
sysctl -f /etc/sysctl.conf
Next, enable the FreeBSD system as a gateway by adding the configuration to the '/etc/rc.conf' using the following command.
sysrc gateway_enable="YES"
Then reboot the server.
reboot
Now the port forwarding on the FreeBSD system has been enabled.
Step 7 - Setup Client
In this step, we're going to create a new configuration '.ovpn' fro the client.
Go to the '/usr/local/etc/openvpn/client' directory and create a new configuration 'client01.ovpn'.
cd /usr/local/etc/openvpn/client/
vim client01.ovpn
Change the remote IP address and other details with your own and paste into it.
client dev tun proto udp remote xxx.xxx.xxx.xxx 1194 ca ca.crt cert client01.crt key client01.key cipher AES-256-CBC auth SHA512 auth-nocache tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 resolv-retry infinite compress lzo nobind persist-key persist-tun mute-replay-warnings verb 3
Save and close.
Now download all certificates, key, and the configuration inside the '/usr/local/etc/openvpn/client' directory to your local computer.
Step 8 - Testing
In this step, we''re going to connect to the VPN server using the 'client01.ovpn' configuration from the local computer.
After downloading certificates and configuration, go to the download directory and connect to the openvpn server using the command as below.
openvpn --config client01.ovpn
Once the connection is complete, open new terminal tab and checks the 'tun0' interface.
ifconfig tun0
And you will get the internal IP address from the OpenVPN server.
Next, we will test to ping the OpenVPN server using its internal IP address.
ping -c3 10.5.5.1
And you will get an ICMP answer from the server.
After that, check the internet connection using the curl command below.
curl ipinfo.io
Now you will be shown the external IP address of the server.
As a result, the installation and configuration of OpenVPN server on FreeBSD 12.0 has been completed successfully.