While trying to setup OpenVPN, I noticed there was no up-to-date information with correct instructions. OpenVPN uses EasyRSA to setup keys, it has recently been changed in version 3. As a result of this, the old steps to configure OpenVPN are no longer correct. I went through the process of setting up a VPN using OpenVPN on FreeBSD 10.3.
This is the up to date way to configure OpenVPN on FreeBSD.
Setup Link to heading
A few things are required before OpenVPN can be setup.
Install Needed Software Link to heading
To start with, install the required software. The only thing necessary to install should be OpenVPN. Easy-RSA is brought along in the install.
After updating the package repository, install
openvpn. I’m using pkg, if you are using ports you should know the analagous process.
[root]# pkg update [root]# pkg install openvpn
Setup Directory Structure for Configuration Link to heading
OpenVPN has sample configuration files, make a directory for configuration
[root]# mkdir /usr/local/etc/openvpn
Copy the sample files:
[root]# cp /usr/local/share/examples/openvpn/sample-config-files/server.conf \ /usr/local/etc/openvpn/openvpn.conf
The configuration files for Easy-RSA are also needed, copy them to the configuration directory:
[root]# cp -r /usr/local/share/easy-rsa /usr/local/etc/openvpn/easy-rsa
Configuration Link to heading
Now that we have all the required files, configuration can start.
Easy-RSA Link to heading
To start, configure keys with Easy-RSA.
Move into the Easy-RSA directory
[root]# cd /usr/local/etc/openvpn/easy-rsa
Inside should be several files:
[root]# ls easyrsa.real openssl-1.0.cnf.example vars.example openssl-1.0.cnf vars x509-types
Edit Easy-RSA Configuration Files Link to heading
vars file, edit the required fields replacing them with the proper data. Any fields being used should be uncommented.
Set the organizational fields:
set_var EASYRSA_REQ_COUNTRY "<COUNTRY>" set_var EASYRSA_REQ_PROVINCE "<PROVINCE>" set_var EASYRSA_REQ_CITY "<CITY>" set_var EASYRSA_REQ_ORG "<ORGANIZATION>" set_var EASYRSA_REQ_EMAIL "<EMAIL>" set_var EASYRSA_REQ_OU "<ORGANIZATIONAL UNIT>"
Set bit size, 2048 is reccomended:
set_var EASYRSA_KEY_SIZE 2048
Set expiry number in days:
# In how many days should the root CA key expire? set_var EASYRSA_CA_EXPIRE 3650 # In how many days should certificates expire? set_var EASYRSA_CERT_EXPIRE 3650
Generate Keys Link to heading
Now keys can be generated with the
easyrsa.real shell script.
By default FreeBSD uses the “c shell”, this can cause problems due to the configuration script setting variables in a different way. To avoid these issues change into the “bourne shell”,
sh when running the script.
To see all easy-rsa commands, run:
sh-4.3# ./easyrsa.real help
For detailed usage and help for a command, run:
sh-4.3# ./easyrsa help COMMAND
To get a listing of options that can be supplied before the command, use:
sh-4.3# ./easyrsa help options
Full list of commands available:
init-pki build-ca [ cmd-opts ] gen-dh gen-req <filename_base> [ cmd-opts ] sign-req <type> <filename_base> build-client-full <filename_base> [ cmd-opts ] build-server-full <filename_base> [ cmd-opts ] revoke <filename_base> gen-crl update-db show-req <filename_base> [ cmd-opts ] show-cert <filename_base> [ cmd-opts ] import-req <request_file_path> <short_basename> export-p7 <filename_base> [ cmd-opts ] export-p12 <filename_base> [ cmd-opts ] set-rsa-pass <filename_base> [ cmd-opts ] set-ec-pass <filename_base> [ cmd-opts ]
Initialize Public Key Infrastructure Link to heading
sh-4.3# ./easyrsa.real init-pki
Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /usr/local/etc/openvpn/easy-rsa/pki
Build Certificate Authority Link to heading
Follow instructions entering a CA password and common name.
sh-4.3# ./easyrsa.real build-ca
Server Certificates Link to heading
Generate certificates for a server with the name openvpn-server. Use “nopass” to generate an unencrypted key so that a password is not required by the server on startup. This is what most people use on the server; however, this means it must be protected carefully.
sh-4.3# ./easyrsa.real build-server-full openvpn-server nopass
Check if successful:
sh-4.3# ./easyrsa.real show-cert openvpn-server
Client Certificate Link to heading
Build client certificate(s), use a unique name for each certificate.:
sh-4.3# ./easyrsa.real build-client-full <name>
Diffie Hellman Parameters Link to heading
Generate Diffie Hellman parameters:
sh-4.3# ./easyrsa.real gen-dh
Move Keys Link to heading
With the files created, move the key’s to their destination.
The files of importance are:
dh.pem- Diffie Hellman parameters. Needed by server.
ca.crt- Root CA certificate. Needed by server and all clients.
openvpn-server.crt- Server certificate. Needed by server.
<name>.crt- Client certificate. Needed by client.
pki/private/ [These are secret]:
openvpn-server.key- Server key. Needed by server.
<name>.key- Client key. Needed by client.
ca.key- Root CA key. Needed by key signing machine.
So the following keys should be moved to the server:
If the server is the same machine as the machine used as the Certificate Authority, make a directory for the keys in the
[root]# mkdir /usr/local/etc/openvpn/keys
Move the server keys:
[root]# cp pki/dh.pem \ pki/ca.crt \ pki/issued/openvpn-server.crt \ pki/private/openvpn-server.key \ /usr/local/etc/openvpn/keys
and the following moved to each client:
OpenVPN Link to heading
Now OpenVPN can be configured.
Move back to the OpenVPN directory:
[root]# cd /usr/local/etc/openvpn
Server Config Link to heading
Edit the server configuration file
Uncomment this out for non-Windows systems.
user nobody group nobody
Edit the paths where the keys are located.
ca /usr/local/etc/openvpn/keys/ca.crt cert /usr/local/etc/openvpn/keys/openvpn-server.crt key /usr/local/etc/openvpn/keys/openvpn-server.key # This file should be kept secret
Edit the diffie helman parameter path:
As noted From the Easy-RSA wiki:
Important note: some OpenVPN configs rely on the deprecated “Netscape” cert attribute called nsCertType. This is deprecated behavior, and Easy-RSA 3 does not enable this by default like v2 did. Please use the –remote-cert-tls directive in your OpenVPN config files for MITM protection.
So if you are concerned with preventing man in the middle attacks, adding ‘remote-cert-tls server’ on the client and ‘remote-cert-tls client’ on the server seems to be the way to go.
Client Config Link to heading
On the client, find the OpenVPN configuration file. On FreeBSD sample configuration files are in
Copy them to the OpenVPN directory:
[root]# cp /usr/local/share/examples/openvpn/sample-config-files/client.conf \ /usr/local/etc/openvpn/client.conf
Edit the server name, use the hostname or ip:
remote <openvpn-server ip> 1194
As done with the server, replace the keys with their proper paths:
ca /usr/local/etc/openvpn/keys/ca.crt cert /usr/local/etc/openvpn/keys/<name>.crt key /usr/local/etc/openvpn/keys/<name>.key
Optinally add remote-cert-tls if you did so on the server.
Enable OpenVPN Link to heading
Enable OpenVPN to start on boot as a tun device on both server and client.
[root]# sysrc openvpn_enable="YES" [root]# sysrc openvpn_if="tun"
Setup Logging Link to heading
On server and client, logging can be setup with syslog.
[root]# nano /etc/syslog.conf
Add the following to the end of syslog before the
!openvpn *.* /var/log/openvpn.log
Setup log rotation.
[root]# nano /etc/newsyslog.conf
Add the following to the list of logs:
/var/log/openvpn.log 600 30 * @T00 ZC
Start Openvpn Link to heading
OpenVPN can now be started.
[root]# service openvpn start
ifconfig, a new tun interface should appear.
[root]# ifconfig ifconfig tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500 options=80000<LINKSTATE> inet6 fe80::20a:e4ff:fe84:a87%tun0 prefixlen 64 tentative scopeid 0x3 inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> Opened by PID 97347
Finishing Tasks Link to heading
Once OpenVPN is set up, there are a few things that should be done to make it fully operational. Some security should probably be added to the server, if OpenVPN is being used within a network, ports may need to be forwarded, and DDNS may need to be set up.
Port Forwarding Link to heading
If OpenVPN is being run inside a network, ports may need to be forwarded to OpenVPN. Since I am using OpenVPN inside of my home network I had to forward port 1194/UDP. UDP is the reccomended protocol to use, as it functions best as a tunnel; however, depending on where OpenVPN is being used, UDP may not work, in which case 443/TCP or 994/TCP is recommended.
Firewall Link to heading
If ports are opened, keep in mind that puts nothing between the internet and the server so security should be kept in mind. At minimum, a fireall should probably be set up if OpenVPN is going to be open to the internet, IPFW is a simple firewall that is easy to setup and is built into FreeBSD.
Dynamic DNS Link to heading
If OpenVPN is being used inside of a home network, most people’s internet facing IP’s are not static. In order to be able to access an ever changing IP, DDNS can be used. DDNS will check for changes in the external IP, and will map a persistent URL to the current IP.
DDNS is often offered by domain hosting providers, however there are also free options out there like NO-IP. Most routers will also often integrate with one or more DDNS providers.
NO-IP Link to heading
NO-IP offers free DDNS, and will supply a domain which will remain yours as long as it is used once every 30 days. They also have a client that supports FreeBSD.
NO-IP requires you to register, they will then allow you to choose an address that will link to your IP.
After registering and creating an address, install NO-IP:
[root]# pkg install noip
The install should have created a group and user:
Installing noip-2.1.9_3... ===> Creating users and/or groups. Creating group 'noip' with gid '939'. Creating user 'noip' with uid '939'.
Generate a configuration file by running
make conf in the noip port directory:
[root]# cd /usr/ports/dns/noip [root]# make conf
It will ask for your username, interface and password:
Please select the Internet interface from this list. By typing the number associated with it. 0 sge0 1 lo0 2 tun0 2 Please enter the login/email string for no-ip.com <noip email> Please enter the password for user '<noip email>' **************************************************************** Only one host [<noip domain>] is registered to this account. It will be used. Please enter an update interval: Do you wish to run something at successful update?[N] (y/N) N New configuration file '/usr/local/etc/no-ip2.conf' created.
Start NO-IP and enable it to start at boot:
[root]# service noip start [root]# sysrc noip_enable="YES"