FreeBSD Networking

Setup OpenVPN on FreeBSD 13.1

This acticle will go through the install and configuration to use FreeBSD as your OpenVPN server and how to create the client config files.

Install the OpenVPN Port

I use port upgrade so I’ll use that to install the ports.  If you do not use portupgrade then you can install the port with what ever method works for you.

# pkg install openvpn

Create the directory for all the OpenVPN config files (the certificate store will also be places here):

# mkdir -p /usr/local/etc/openvpn

Copy the sample config files over to this directory.

# cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn/openvpn.conf

Setup your Certificate Store.

In easy-pki version 3.1.x and above, they changed the way it works (in the FreeBSD port). You now need to initialize the pki directory first.

# cd /usr/local/etc/openvpn/easy-rsa
# easyrsa init-pki

Move to the easy-rsa directory:

# cd /usr/local/etc/openvpn/easy-rsa

Inside this directory is the vars file. This file contains the variables that are used to create all the certificates that OpenVPN will use.  Edit the vars file and update the following variables:

# vi /usr/local/etc/openvpn/easy-rsa/vars
set_var EASYRSA_REQ_COUNTRY     "CA"
set_var EASYRSA_REQ_PROVINCE    "<Province>"
set_var EASYRSA_REQ_CITY            "<Your City>"
set_var EASYRSA_REQ_ORG            "<An Org>"
set_var EASYRSA_REQ_EMAIL          "<Email>"
set_var EASYRSA_REQ_OU              "<hostname for server>"

Make sure the following variables are set:

set_var EASYRSA_KEY_SIZE          2048
set_var EASYRSA_CA_EXPIRE        3650
set_var EASYRSA_CERT_EXPIRE     3650

Save the vars file.

Create the Certificate Store.

Now lets generate the certificates used to authenticate the VPN connections.  Easyrsa makes it quite easy with a supplied script.  NOTE: the script will not work with the C Shell that FreeBSD uses by default.  If you are using C Shell (or if you are not sure) make sure to change into the Bourne Shell (sh) first.

# sh
# easyrsa build-ca nopass

Generate the Server Certificate

Next we are going to tell easyrsa to generate the server certificate.  We also use the “nopass” to generate a certificate that is not encrypted with a password.  This will allow the server to startup without prompting for a password.  Keep this password very safe and protected.

# easyrsa build-server-full openvpn-server nopass

Generate the Diffie Hellman key

# easyrsa gen-dh

Now that they keys are created, they need to be moved to their final location under the OpenVPN configuration.

Copy the ca, openvpn-server, and Diffie Hellman keys into the keys directory.  This is assuming you generated the keys on the same server that is hosting the OpenVPN.

# mkdir -p /usr/local/etc/openvpn/keys
# cd /usr/local/etc/openvpn
# cp -p easy-rsa/pki/ca.crt keys/ca.crt
# cp -p easy-rsa/pki/dh.pem keys/dh.pem
# cp -p easy-rsa/pki/issued/openvpn-server.crt keys/openvpn-server.crt
# cp -p easy-rsa/pki/private/openvpn-server.key keys/openvpn-server.key

Chages to the Server Config

Open up the OpenVPN server config file with your favorite editor (I like vi).

# vi /usr/local/etc/openvpn/openvpn.conf

Scroll down and look for the lines that specify the certificate locations.  Change then to look like the following:

ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key
dh /usr/local/etc/openvpn/keys/dh.pem

Make sure the user and group lines are uncommented and set to nobody.

user nobody
group nobody

You can change the port in the file if you want to set up the cloent on a non-standard port.  (1194 is the default)

port 1194

Setup the subnet and IP address that the tunnel will use.  I use 192.168.13.192 – 192.168.13.255 for my tunnel range.  The address that my server will have (for it’s OpenVPN connection) is 192.168.13.193.  Here is the server lines that I use:

server 192.168.13.192 255.255.255.192

I have a number of local networks. I want my tunnel setup so that ONLY my local networks get tunneled over OpenVPN.  You can specify just the network that get tunneled and the clients will only tunnel those addresses (as apposed to everything going through the tunnel).   To do this, you need to setup a push lines for each network that you want tunneled. NOTE: If you want to tunnel all the traffic, look at the “redirect-gateway” line.

On my system, I have three routes that I force as follows:

push "route 10.0.0.0 255.0.0.0"
push "route 172.16.0.0 255.240.0.0"
push "route 192.168.0.0 255.255.0.0"

You can also force the clients to use your DNS.  This is helpful if you have an internal DNS server or run split DNS.  Here I force the clients DNS to point at mine.

push "dhcp-option DNS 172.31.15.250"
push "dhcp-option DNS 10.0.4.231"

That should be the main configs changes.  Look over the rest of the notes in the config file and then save your changes.

Generate the ta.key file need to improve security.

# cd /usr/local/etc/openvpn/keys
# openvpn --genkey secret ta.key

Enable the OpenVPN Server

NOTE: This section is specific to FreeBSD.  You need to enable the OpenVPN server in the /etc/rc.conf file so that it will start on bootup.  You can add these manually or with the following commands:

# sysrc openvpn_enable="YES"
# sysrc openvpn_if="tun"

Start the service.

# service openvpn start

Create a Client Certificate.

I am going to generate a certificate that I will be using on my iPhone.  I am going to call this client “MyiPhone”.  It is best to name you clients with something that you will know so if you have the generate a new certificate (or remove a certificate) you know what one it is.

# easyrsa build-client full MyiPhone

1 thought on “Setup OpenVPN on FreeBSD 13.1”

Leave a Comment

Your email address will not be published. Required fields are marked *