FreeBSD Version: 10.0-RELEASE
This tutorial will cover setting up a bridged OpenVPN setup on a FreeBSD 10.0 release. This was done for my home network and should be generic enough to work for others. Your mileage will vary. I pulled documentation from many, many sources and put them in this one useful location.
Via ports:
portmaster security/openvpn
Via pkg(pkgng):
pkg
If you are not familiar with portmaster or pkg check out the bsdnow tutorials.
To load it into memory without rebooting:
kldload if_tap
To ensure that it is loaded at boot time in /etc/rc.conf add:
if_tap_load="YES"
Add the following lines to /etc/rc.conf:
gateway_enable="YES"
Enable it with the following command:
sysctl net.inet.ip.forwarding=1
Add the following line in /etc/sysctl.conf
net.inet.ip.forwarding=1
The following commands need to be run as the root user:
mkdir /usr/local/etc/openvpn
cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn/server.conf
cp -R /usr/local/share/easy-rsa /usr/local/etc/openvpn/easy-rsa
Switch to the openvpn easy-rsa directory:
cd /usr/local/etc/openvpn/easy-rsa
Edit the vars file. Here are the changes that I have made:
...
# Increased the key size to from 1024 to 2048
export KEY_SIZE=2048
...
# Change the default fields for the certificate
# The following are just an example
export KEY_COUNTRY="US"
export KEY_PROVINCE="NM"
export KEY_CITY="Las Cruces"
export KEY_ORG="My House"
export KEY_EMAIL="myhouse@myhouse.org"
Change to the root user (su
) and make sure that you are in the sh shell (sh
).
. ./vars
Note: if you are rebuilding your keys, due to an Openssl update, you will need to do the following:
./clean-all
. ./vars
Generate the certificate:
./build-ca
Generate the certificate for the server:
./build-key-server myserver
Next, we generate all the client keys:
./build-key my_laptop
./build-key my_other_laptop
Finally, we build the DH keys. This will take a while:
./build-dh
The result will be the following in the files in /usr/local/etc/openvpn/easy-rsa/keys that was defined in our keys file:
...
myserver.crt
myserver.csr
myserver.key
ca.crt
ca.key
dh2048.pem
my_laptop.crt
my_laptop.csr
my_laptop.key
my_other_laptop.crt
my_other_laptop.csr
my_other_laptop.key
...
We create the file /usr/local/etc/openvpn/up.sh with the following content:
#!/bin/sh
/sbin/ifconfig bridge0 create
/sbin/ifconfig bridge0 addm tap0 addm $dev up
/sbin/ifconfig $dev up
Next, we create the file /usr/local/etc/openvpn/down.sh with the following content:
#!/bin/sh
/sbin/ifconfig bridge0 deletem $dev
/sbin/ifconfig bridge0 destroy
/sbin/ifconfig $dev destroy
We need to make changes to our openvpn server file /usr/local/etc/openvpn/server.conf
# scripts to create and tear down the bridge connector
up /usr/local/etc/openvpn/up.sh
down /usr/local/etc/openvpn/down.sh
local 10.9.8.2
port 1194
# or if you want to masquerade it (because the standard port maybe blocked) as https and your not using the https port
# port 443
proto udp
dev tap
ca /usr/local/etc/openvpn/easy-rsa/keys/ca.crt
cert /usr/local/etc/openvpn/easy-rsa/keys/myserver.crt
key /usr/local/etc/openvpn/easy-rsa/keys/myserver.key # This file should be kept secret
# dh2048.pem for our 2048 key size
dh /usr/local/etc/openvpn/easy-rsa/keys/dh2048.pem
ifconfig-pool-persist ipp.txt
# This is the range of ip addresses that the connecting clients will be assigned. This range
# should be outside of the DHCP ip address pool
server-bridge 10.9.8.2 255.255.255.0 10.9.8.10 10.9.8.20
push "route 10.9.8.0 255.255.255.0"
# to redirect all the client traffic over the vpn
push "redirect-gateway def1"
# All clients to see each other
client-to-client
keepalive 10 120
cipher AES-128-CBC # AES
comp-lzo
max-clients 25
user nobody
group nobody
persist-key
persist-tun
log-append /var/log/openvpn.log
status-version 2
status openvpn-status.log
verb 6
script-security 3
client
dev tap
proto udp
remote 10.9.8.2 1194
#remot 10.9.8.2 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert my_laptop.crt
key my_laptop.key
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 3
Add the following lines to /etc/rc.conf:
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/server.conf"
openvpn_flags="--script-security 3"
openvpn_if="tap"
Add the following lines to /etc/rc.conf:
pf_enable="YES"
pf_rules="/etc/pf.conf"
In the rules file, /etc/pf.conf add the following lines:
# this is the interface that will be serving openvpn
ext_if="re0"
int_if="tap0"
rdr on re0 proto udp from any to any port 1194 -> 10.9.8.2
# if you are running on as non-default port
rdr on re0 proto udp from any to any port 443 -> 10.9.8.2