While trying to setup OpenVPN, I noticed there was no up-to-date information with correct instructions. OpenVPN uses EasyRSA to setup keys, it has recently been changed in version 3. As a result of this, the old steps to configure OpenVPN are no longer correct. I went through the process of setting up a VPN using OpenVPN on FreeBSD 10.3.
This is the up to date way to configure OpenVPN on FreeBSD.
- Finishing Tasks
A few things are required before OpenVPN can be setup.
Install Needed Software
To start with, install the required software. The only thing necessary to install should be OpenVPN. Easy-RSA is brought along in the install.
After updating the package repository, install
openvpn. I’m using pkg, if you are using ports you should know the analagous process.
Setup Directory Structure for Configuration
OpenVPN has sample configuration files, make a directory for configuration
Copy the sample files:
The configuration files for Easy-RSA are also needed, copy them to the configuration directory:
Now that we have all the required files, configuration can start.
To start, configure keys with Easy-RSA.
Move into the Easy-RSA directory
Inside should be several files:
Edit Easy-RSA Configuration Files
vars file, edit the required fields replacing them with the proper data. Any fields being used should be uncommented.
Set the organizational fields:
Set bit size, 2048 is reccomended:
Set expiry number in days:
Now keys can be generated with the
easyrsa.real shell script.
By default FreeBSD uses the “c shell”, this can cause problems due to the configuration script setting variables in a different way. To avoid these issues change into the “bourne shell”,
sh when running the script.
To see all easy-rsa commands, run:
For detailed usage and help for a command, run:
To get a listing of options that can be supplied before the command, use:
Full list of commands available:
Initialize Public Key Infrastructure
Build Certificate Authority
Follow instructions entering a CA password and common name.
Generate certificates for a server with the name openvpn-server. Use “nopass” to generate an unencrypted key so that a password is not required by the server on startup. This is what most people use on the server; however, this means it must be protected carefully.
Check if successful:
Build client certificate(s), use a unique name for each certificate.:
Diffie Hellman Parameters
Generate Diffie Hellman parameters:
With the files created, move the key’s to their destination.
The files of importance are:
dh.pem- Diffie Hellman parameters. Needed by server.
ca.crt- Root CA certificate. Needed by server and all clients.
openvpn-server.crt- Server certificate. Needed by server.
<name>.crt- Client certificate. Needed by client.
pki/private/ [These are secret]:
openvpn-server.key- Server key. Needed by server.
<name>.key- Client key. Needed by client.
ca.key- Root CA key. Needed by key signing machine.
So the following keys should be moved to the server:
If the server is the same machine as the machine used as the Certificate Authority, make a directory for the keys in the
Move the server keys:
and the following moved to each client:
Now OpenVPN can be configured.
Move back to the OpenVPN directory:
Edit the server configuration file
Uncomment this out for non-Windows systems.
Edit the paths where the keys are located.
Edit the diffie helman parameter path:
As noted From the Easy-RSA wiki:
Important note: some OpenVPN configs rely on the deprecated “Netscape” cert attribute called nsCertType. This is deprecated behavior, and Easy-RSA 3 does not enable this by default like v2 did. Please use the –remote-cert-tls directive in your OpenVPN config files for MITM protection.
So if you are concerned with preventing man in the middle attacks, adding ‘remote-cert-tls server’ on the client and ‘remote-cert-tls client’ on the server seems to be the way to go.
On the client, find the OpenVPN configuration file. On FreeBSD sample configuration files are in
Copy them to the OpenVPN directory:
Edit the server name, use the hostname or ip:
As done with the server, replace the keys with their proper paths:
Optinally add remote-cert-tls if you did so on the server.
Enable OpenVPN to start on boot as a tun device on both server and client.
On server and client, logging can be setup with syslog.
Add the following to the end of syslog before the
Setup log rotation.
Add the following to the list of logs:
OpenVPN can now be started.
ifconfig, a new tun interface should appear.
Once OpenVPN is set up, there are a few things that should be done to make it fully operational. Some security should probably be added to the server, if OpenVPN is being used within a network, ports may need to be forwarded, and DDNS may need to be set up.
If OpenVPN is being run inside a network, ports may need to be forwarded to OpenVPN. Since I am using OpenVPN inside of my home network I had to forward port 1194/UDP. UDP is the reccomended protocol to use, as it functions best as a tunnel; however, depending on where OpenVPN is being used, UDP may not work, in which case 443/TCP or 994/TCP is recommended.
If ports are opened, keep in mind that puts nothing between the internet and the server so security should be kept in mind. At minimum, a fireall should probably be set up if OpenVPN is going to be open to the internet, IPFW is a simple firewall that is easy to setup and is built into FreeBSD.
If OpenVPN is being used inside of a home network, most people’s internet facing IP’s are not static. In order to be able to access an ever changing IP, DDNS can be used. DDNS will check for changes in the external IP, and will map a persistent URL to the current IP.
DDNS is often offered by domain hosting providers, however there are also free options out there like NO-IP. Most routers will also often integrate with one or more DDNS providers.
NO-IP offers free DDNS, and will supply a domain which will remain yours as long as it is used once every 30 days. They also have a client that supports FreeBSD.
NO-IP requires you to register, they will then allow you to choose an address that will link to your IP.
After registering and creating an address, install NO-IP:
The install should have created a group and user:
Generate a configuration file by running
make conf in the noip port directory:
It will ask for your username, interface and password:
Start NO-IP and enable it to start at boot: