"OpenVPN on FreeBSD 11.2-RELEASE"

Published: Wed 05 December 2018

In content.

This guide was written based on result from a vps server. After following this guide, you should have working OpenVPN server and client.

### Update, Install & Copy OpenVPN configuration files

First we need to update pkg manager and then install openvpn package.

#sh

#pkg update && pkg install openvpn

Next we need to create openvpn directory and copy necessary configuration files.

#mkdir /usr/local/share/examples/openvpn/sample-configuration-files/server.conf /usr/local/etc/openvpn/openvpn.conf

#cp -r /usr/local/share/easy-rsa /usr/local/etc/openvpn/easy-rsa

#cd /usr/local/etc/openvpn/easy-rsa

Now we need to set following variables in vars file.

#vi vars

set_var EASYRSA_REQ_COUNTRY     "<COUNTRY>"
set_var EASYRSA_REQ_PROVINCE    "<PROVINCE>"
set_var EASYRSA_REQ_CITY        "<CITY>"
set_var EASYRSA_REQ_ORG         "<ORGANIZATION>"
set_var EASYRSA_REQ_EMAIL       "<EMAIL>"
set_var EASYRSA_REQ_OU          "<ORGANIZATIONAL UNIT>"
set_var EASYRSA_KEY_SIZE        2048
set_var EASYRSA_CA_EXPIRE       3650
set_var EASYRSA_CERT_EXPIRE     3650

### Generate server keys

Now we are going to generate necessary server keys needed for connection between openvpn server & client.

./easyrsa.real init-pki
./easyrsa.real build-ca
./easyrsa.real build-server-full openvpn-server nopass
./easyrsa.real gen-dh
openvpn --genkey --secret ta.key

Generate client keys

Now, set CLIENT_NAME to any name you would like:

#CLIENT_NAME="&lt;client-name&gt;"

#./easyrsa.real build-client-full $CLIENT_NAME nopass

Copy server keys to ``openvpn`` directory

mkdir /usr/local/etc/openvpn/keys
cp pki/dh.pem \
   pki/ca.crt \
   pki/issued/openvpn-server.crt \
   pki/private/openvpn-server.key \
   ta.key \
   /usr/local/etc/openvpn/keys

Configure client .opvn file

cd /usr/local/etc/openvpn
touch $CLIENT_NAME.ovpn
cat > $CLIENT_NAME.ovpn
client
nobind
dev tun
remote-cert-tls server

remote <server-ip> 1194 udp

key-direction 1

redirect-gateway def1

Type Ctrl-D and type the rest:

printf "<key>\n" >> $CLIENT_NAME.ovpn
cat easy-rsa/pki/private/$CLIENT_NAME.key >> $CLIENT_NAME.ovpn
printf "</key>\n" >> $CLIENT_NAME.ovpn
printf "<cert>\n" >> $CLIENT_NAME.ovpn
sed -n '/^-----BEGIN/,/^-----END/p' easy-rsa/pki/issued/$CLIENT_NAME.crt >> $CLIENT_NAME.ovpn
printf "</cert>\n" >> $CLIENT_NAME.ovpn
printf "<ca>\n" >> $CLIENT_NAME.ovpn
cat easy-rsa/pki/ca.crt >> $CLIENT_NAME.ovpn
printf "</ca>\n" >> $CLIENT_NAME.ovpn
printf "<tls-auth>\n" >> $CLIENT_NAME.ovpn
cat easy-rsa/ta.key >> $CLIENT_NAME.ovpn
printf "</tls-auth>\n" >> $CLIENT_NAME.ovpn

Configure server

touch openvpn.conf
cat > openvpn.conf
server 192.168.255.0 255.255.255.0

verb 3

key /usr/local/etc/openvpn/keys/openvpn-server.key  # This file should be kept secret
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
dh /usr/local/etc/openvpn/keys/dh.pem
tls-auth /usr/local/etc/openvpn/keys/ta.key 0 # This file is secret

key-direction 0
keepalive 10 60

persist-key
persist-tun

proto udp
port 1194
dev tun

status openvpn-status.log

user nobody
group nobody

explicit-exit-notify 1
remote-cert-tls client

route 192.168.254.0 255.255.255.0

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

Type Ctrl-D and type the rest:

sysrc openvpn_enable="YES"
sysrc openvpn_if="tun"
sysrc gateway_enable="YES"
sysrc firewall_enable="YES"
sysrc firewall_type="OPEN"
sysrc natd_enable="YES"
sysrc natd_interface="vtnet0"
sysrc natd_flags=""
service openvpn start
reboot

After your server reboot, you can start using $CLIENT_NAME.ovpn with your machine.

resource:https://nopecode.com/2018/05/21/freebsd-openvpn.html

social