Security

OpenVPN on FreeBSD 6

I have used OpenVPN for a number of applications. From remote access while I travel to building a wide area network for a small business. OpenVPN has a number of applications. OpenVPN is also ported over to most operation systems including MAC and Windows.

This document will go over what I have done to install the server part of OpenVPN (2.0.6) on FreeBSD 6.x.

Installing from the Ports

# cd /usr/ports/security/openvpn
# make install
# make clean

Enable OpenVPN on startup

# echo openvpn_enable=\"YES\" >> /etc/rc.conf

Create the config file

There is a lot of ways to configure and setup OpenVPN depending on what you wish to do. Explaining the different configurations and setups is beyond this quick how-to. In this example I have just done a basic configuration for what I wanted (remote traveling clients). If you want an explanation of the configuration or other examples, please see the OpenVPN how-to documentation.

# mkdir -p /usr/local/etc/openvpn/keys

Create the file /usr/local/etc/openvpn/openvpn.conf with the following content:

# specify the device
dev tun
proto tcp
port 1194
# server and client IP pools ( 0-63 / 26 )
server 192.168.1.0 255.255.255.192
ifconfig_pool_persist ipp.txt
# Certificates for VPN Config
ca /usr/local/etc/openvpn/keys/ca.crtcert /usr/local/etc/openvpn/keys/server.crt
key /usr/local/etc/openvpn/keys/server.key
dh /usr/local/etc/openvpn/keys/dh1024.pem
# Routes to Push
push "redirect-gateway"
push "dhcp-option DNS 10.10.10.1"
# Use Compressioncomp-lzo
keepalive 20 240
max-clients 50
persist-tun
persist-key
# Run openvpn as a daemon
group nobody
daemon

Create the Certificates

# cd -r /usr/local/share/doc/openvpn/easy-rsa /usr/local/etc/openvpn/
# cd /usr/local/etc/openvpn/easy-rsa

Edit the vars file and change the following variables.
( Change them to what fits your organization. The examples are what fits mine)

KEY_DIR=/usr/local/etc/openvpn/keys
KEY_COUNTRY=CA
KEY_PROVINCE=Alberta
KEY_CITY=Edmonton
KEY_ORG=EPSB VPN
KEY_EMAIL=none@example.com

Now build the basic certificates

# . vars
# ./clean-all
# ./build-ca

Generate the certificate keys for the server

# ./build-key-server server

Generate the client certificates.

Each client will need their own private certificate to be installed on the client. This will build each of the client certificates. It needs to be repeated for each client yu will have access the system. I usually run the script with the clients username or something to be able to identify them in the future.

# ./build-key client1
# ./build-key client2
# ./build-key client3

Setting up the loggin on the server.

# echo "!openvpn" >> /etc/syslog.conf
# echo "*.* /var/log/openvpn.log" >> /etc/syslog.conf
# touch /var/log/openvpn.log
# /etc/rc.d/syslogd restart

Leave a Comment

Your email address will not be published. Required fields are marked *