OpenVPN

FreeBSD Version: 10.0-RELEASE

This tutorial will cover setting up a bridged OpenVPN setup on a FreeBSD 10.0 release. This was done for my home network and should be generic enough to work for others. Your mileage will vary. I pulled documentation from many, many sources and put them in this one useful location.

Install OpenVPN port

Via ports:

portmaster security/openvpn

Via pkg(pkgng):

pkg 

If you are not familiar with portmaster or pkg check out the bsdnow tutorials.

Setup the config directories

Add the tap device

To load it into memory without rebooting:

kldload if_tap

To ensure that it is loaded at boot time in /etc/rc.conf add:

if_tap_load="YES"

Add the following lines to /etc/rc.conf:

gateway_enable="YES"

Enable port forwarding

Enable it with the following command:

sysctl net.inet.ip.forwarding=1

Add the following line in /etc/sysctl.conf

net.inet.ip.forwarding=1

Copy your OpenVPN files

The following commands need to be run as the root user:

mkdir /usr/local/etc/openvpn
      cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn/server.conf
      cp -R /usr/local/share/easy-rsa /usr/local/etc/openvpn/easy-rsa

Generate SSL certs

Switch to the openvpn easy-rsa directory:

cd /usr/local/etc/openvpn/easy-rsa

Edit the vars file. Here are the changes that I have made:

...
      # Increased the key size to from 1024 to 2048
      export KEY_SIZE=2048

      ... 
      # Change the default fields for the certificate
      # The following are just an example
      export KEY_COUNTRY="US"
      export KEY_PROVINCE="NM"
      export KEY_CITY="Las Cruces"
      export KEY_ORG="My House"
      export KEY_EMAIL="myhouse@myhouse.org"

Change to the root user (su) and make sure that you are in the sh shell (sh).

. ./vars

Note: if you are rebuilding your keys, due to an Openssl update, you will need to do the following:

./clean-all
      . ./vars

Generate the certificate:

./build-ca

Generate the certificate for the server:

./build-key-server myserver

Next, we generate all the client keys:

./build-key my_laptop
      ./build-key my_other_laptop

Finally, we build the DH keys. This will take a while:

./build-dh

The result will be the following in the files in /usr/local/etc/openvpn/easy-rsa/keys that was defined in our keys file:

...
      myserver.crt 
      myserver.csr
      myserver.key
      ca.crt
      ca.key
      dh2048.pem
      my_laptop.crt 
      my_laptop.csr
      my_laptop.key
      my_other_laptop.crt 
      my_other_laptop.csr
      my_other_laptop.key
      ...

Create some scripts for our bridge

We create the file /usr/local/etc/openvpn/up.sh with the following content:

#!/bin/sh
      /sbin/ifconfig bridge0 create
      /sbin/ifconfig bridge0 addm tap0 addm $dev up
      /sbin/ifconfig $dev up

Next, we create the file /usr/local/etc/openvpn/down.sh with the following content:

#!/bin/sh
      /sbin/ifconfig bridge0 deletem $dev 
      /sbin/ifconfig bridge0 destroy
      /sbin/ifconfig $dev destroy

Edit the openvpn server config file

We need to make changes to our openvpn server file /usr/local/etc/openvpn/server.conf

# scripts to create and tear down the bridge connector 
      up /usr/local/etc/openvpn/up.sh 
      down /usr/local/etc/openvpn/down.sh 
          
      local 10.9.8.2

      port 1194
      # or if you want to masquerade it (because the standard port maybe blocked) as https and your not using the https port
      # port 443
      proto udp        
      dev tap

      ca /usr/local/etc/openvpn/easy-rsa/keys/ca.crt
      cert /usr/local/etc/openvpn/easy-rsa/keys/myserver.crt
      key /usr/local/etc/openvpn/easy-rsa/keys/myserver.key # This file should be kept secret
      # dh2048.pem for our 2048 key size 
      dh /usr/local/etc/openvpn/easy-rsa/keys/dh2048.pem

      ifconfig-pool-persist ipp.txt

      # This is the range of ip addresses that the connecting clients will be assigned. This range
      # should be outside of the DHCP ip address pool 
      server-bridge 10.9.8.2 255.255.255.0 10.9.8.10 10.9.8.20

      push "route 10.9.8.0 255.255.255.0"
      # to redirect all the client traffic over the vpn
      push "redirect-gateway def1"


      # All clients to see each other
      client-to-client

      keepalive 10 120
      cipher AES-128-CBC   # AES
      comp-lzo

      max-clients 25

      user nobody
      group nobody

      persist-key
      persist-tun

      log-append  /var/log/openvpn.log

      status-version 2
      status openvpn-status.log

      verb 6

Client config file

script-security 3
      client
      dev tap
      proto udp
      remote 10.9.8.2 1194
      #remot 10.9.8.2 443
      resolv-retry infinite
      nobind
      persist-key
      persist-tun
      ca ca.crt
      cert my_laptop.crt
      key my_laptop.key
      ns-cert-type server
      cipher AES-128-CBC
      comp-lzo
      verb 3

Runnig openvpn on boot

Add the following lines to /etc/rc.conf:

openvpn_enable="YES"
      openvpn_configfile="/usr/local/etc/openvpn/server.conf"
      openvpn_flags="--script-security 3"
      openvpn_if="tap"

Create firewal rules for OpenVPN

Add the following lines to /etc/rc.conf:

pf_enable="YES"
      pf_rules="/etc/pf.conf"

In the rules file, /etc/pf.conf add the following lines:

# this is the interface that will be serving openvpn
      ext_if="re0"
      int_if="tap0"

      rdr on re0 proto udp from any to any port 1194 -> 10.9.8.2 
      # if you are running on as non-default port
      rdr on re0 proto udp from any to any port 443 -> 10.9.8.2