** Setup a FreeBSD OpenVPN Server for site to site tunnel

Source

First, install openvpn from ports or from pkg


Commands starting with a # must be executed as root
Commands starting with a $ must be executed as an user
1
# mkdir /usr/local/etc/openvpn

create and edit /usr/local/etc/openvpn/openvpn.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
port XXXX # Your listening port
proto udp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/vpn.crt
key /usr/local/etc/openvpn/keys/vpn.key # This file should be kept secret
crl-verify /usr/local/etc/openvpn/keys/crl.pem
dh /usr/local/etc/openvpn/keys/dh.pem
ifconfig-pool-persist /usr/local/etc/openvpn/ipp.txt
server X.Y.Z.0 255.255.255.0 # your tunnel ip configuration
client-config-dir /usr/local/etc/openvpn/ccd
keepalive 10 30
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 4
cipher AES-128-CBC
route C.B.A.0 255.255.255.0 # Add the return route to remote end point

We need to configure OpenVPN’s certificate authority now:

1
# cp -r /usr/local/share/easy-rsa /usr/local/etc/openvpn/easy-rsa

Edit /usr/local/etc/openvpn/easy-rsa/vars

Change the key size by modifying this line:

1
set_var EASYRSA_KEY_SIZE 4096

Now we will proceed to initialise the pki system

1
2
3
4
5
6
7
8
# cd /usr/local/etc/openvpn/easy-rsa
# export EASYRSA=${PWD}
# easyrsa init-pki
Note: using Easy-RSA configuration from: /usr/local/etc/openvpn/easy-rsa/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /usr/local/etc/openvpn/easy-rsa/pki

Now we build the CA

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# easyrsa build-ca
Note: using Easy-RSA configuration from: /usr/local/etc/openvpn/easy-rsa/vars
Generating a 4096 bit RSA private key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/usr/local/etc/openvpn/easy-rsa/pki/ca.crt

Now the Diffie Helman file

1
2
3
4
5
6
7
8
# easyrsa gen-dh
Note: using Easy-RSA configuration from: /usr/local/etc/openvpn/easy-rsa/vars
Generating DH parameters, 4096 bit long safe prime, generator 2
This is going to take a long time
DH parameters of size 4096 created at /usr/local/etc/openvpn/easy-rsa/pki/dh.pem

Now the key for the vpn server identified as vpn

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# easyrsa gen-req vpn nopass
Note: using Easy-RSA configuration from: /usr/local/etc/openvpn/easy-rsa/vars
Generating a 4096 bit RSA private key
writing new private key to '/usr/local/etc/openvpn/easy-rsa/pki/private/vpn.key.HrSHTO16JN'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Keypair and certificate request completed. Your files are:
req: /usr/local/etc/openvpn/easy-rsa/pki/reqs/vpn.req
key: /usr/local/etc/openvpn/easy-rsa/pki/private/vpn.key

This key need to be signed by the CA, prepare the CA password

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# easyrsa sign server vpn
Note: using Easy-RSA configuration from: /usr/local/etc/openvpn/easy-rsa/vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
commonName = XXXXXXXX
Type the word 'yes' to continue, or any other input to abort.
Confirm request details:
(answer ‘yes’ and use password from CA step above)
Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /usr/local/etc/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'XXXXXXXX'
Certificate is to be certified until Aug 17 15:56:57 2026 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /usr/local/etc/openvpn/easy-rsa/pki/issued/vpn.crt

1
2
3
4
5
6
7
8
9
10
11
# easyrsa gen-crl
Note: using Easy-RSA configuration from: /usr/local/etc/openvpn/easy-rsa/vars
Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /usr/local/etc/openvpn/easy-rsa/pki/private/ca.key:
An updated CRL has been created.
CRL file: /usr/local/etc/openvpn/easy-rsa/pki/crl.pem

Now we need to copy some files into the OpenVPN working directory:

1
2
3
4
# mkdir /usr/local/etc/openvpn/ccd
# cd /usr/local/etc/openvpn/easy-rsa/pki
# mkdir -p /usr/local/etc/openvpn/keys
# cp -p ca.crt crl.pem dh.pem index* serial* private/vpn.key issued/vpn.crt /usr/local/etc/openvpn/keys/

We’re now ready to add some users… repeat the following for each new client you want to create:

1
2
3
4
# easyrsa gen-req client1 nopass
# easyrsa sign client client1
# cd /usr/local/share/easy-rsa/pki
# cp -p private/client1.key issued/client1.crt /usr/local/etc/openvpn/keys/

and also create a file for each called /usr/local/etc/openvpn/ccd/client1 (where client1 is the username) containing:

1
iroute C.B.A 255.255.255.0

Ok from now everything is ok, just need to load the kernel module and start the service

1
2
3
4
# sysctl net.inet.ip.fw.default_to_accept="1"^
# kldload aesni crypto if_tap
# service openvpn start

Add the following lines to /boot/loader.conf

1
2
3
4
5
6
7
8
9
net.inet.ip.fw.default_to_accept="1"
aesni_load="YES"
crypto_load="YES"
if_bridge_load="YES"
if_tap_load="YES"
ipfw_load="YES"
ipfw_nat_load="YES"

Comments