Friday, March 18, 2011

Configuring OpenVPN on FreeBSD [Quick Guide]

[Note: This post is a work in progress.]

pkg_add -r openvpn


mkdir -p /usr/local/etc/openvpn
cd /usr/local/etc/openvpn
touch openvpn.conf

cp -R /usr/local/share/doc/openvpn/easy-rsa .

cd easy-rsa/2.0/

[Edit the vars file to reflect your details. This will save you the trouble of having to type your organisation's details every time you generate a certificate. You may also need to change your shell to sh to execute the scripts. I also had to do a chmod +x * in that directory.]


[Generate Server Key named server1]
./build-key-server server1

[Generate Keys for clients]
./build-key hpserver
./build-key acerlaptop

[Generate Diffie-Hellman keys]

#The following keys have been copied from /usr/local/etc/openvpn/easy-rsa/2.0/keys

ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/server.crt
key /usr/local/etc/openvpn/keys/server.key
dh /usr/local/etc/openvpn/keys/dh1024.pem

Now, edit openvpn.conf (on the server-end) as follows. Substitute IP addresses as required.

[OpenVPN Server Config]
#Configuration of OpenVPN Server

port 1194
proto tcp
dev tun

ca keys/ca.crt
cert keys/server.crt
key keys/server.key

dh keys/dh1024.pem

ifconfig-pool-persist ipp.txt

client-config-dir ccd #Client specific settings, e.g. Fixed IP Addresses
client-to-client #Allow clients to communicate with each other

push "route"

keepalive 60 120


status open-status.log
verb 3

Copy the generated client keys to /etc/openvpn/. You will need to copy, for example, acerlaptop.crt, acerlaptop.key and ca.crt and mentioned them in openvpn.conf on the client as follows.

[OpenVPN Client Config]
#Configuration of OpenVPN Client

dev tun
proto tcp

remote 1194 #public ip address and port of vpn server


#client certificates
ca ca.crt
cert acerlaptop.crt
key acerlaptop.key
ns-cert-type server
verb 3

[Auto-start openvpn]
Add the following in /etc/rc.conf on the server.


If not already present, also add the following knob in /etc/rc.conf to allow the server to route between your LAN and VPN subnets.  


Note: Some documentation propose adding if_tun_load="YES" to /boot/loader.conf. I found that is not necessary. Openvpn will start the required device drivers automatically. You can try adding it, if openvpn fails to start or dynamically start it at a prompt by issuing kldload if_tun.


The OpenVPN documentation provides more in depth explanation. It can be viewed at :