Friday, March 18, 2011

Configuring OpenVPN on FreeBSD [Quick Guide]

[Note: This post is a work in progress.]

pkg_add -r openvpn

rehash

mkdir -p /usr/local/etc/openvpn
cd /usr/local/etc/openvpn
touch openvpn.conf

cp -R /usr/local/share/doc/openvpn/easy-rsa .

cd easy-rsa/2.0/

[Edit the vars file to reflect your details. This will save you the trouble of having to type your organisation's details every time you generate a certificate. You may also need to change your shell to sh to execute the scripts. I also had to do a chmod +x * in that directory.]

./clean-all
./vars
./build-ca

[Generate Server Key named server1]
./build-key-server server1

[Generate Keys for clients]
./build-key hpserver
./build-key acerlaptop

[Generate Diffie-Hellman keys]
./build-dh


#The following keys have been copied from /usr/local/etc/openvpn/easy-rsa/2.0/keys


ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/server.crt
key /usr/local/etc/openvpn/keys/server.key
dh /usr/local/etc/openvpn/keys/dh1024.pem


Now, edit openvpn.conf (on the server-end) as follows. Substitute IP addresses as required.

[OpenVPN Server Config]
#Configuration of OpenVPN Server

port 1194
proto tcp
dev tun

ca keys/ca.crt
cert keys/server.crt
key keys/server.key

dh keys/dh1024.pem


server 10.0.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt


client-config-dir ccd #Client specific settings, e.g. Fixed IP Addresses
client-to-client #Allow clients to communicate with each other

push "route 192.168.0.0 255.255.0.0"

keepalive 60 120

comp-lzo
persist-key
persist-tun

status open-status.log
verb 3



Copy the generated client keys to /etc/openvpn/. You will need to copy, for example, acerlaptop.crt, acerlaptop.key and ca.crt and mentioned them in openvpn.conf on the client as follows.



[OpenVPN Client Config]
#Configuration of OpenVPN Client

client
dev tun
proto tcp

remote openvpn.dyndns.org 1194 #public ip address and port of vpn server

nobind
persist-key
persist-tun

#client certificates
ca ca.crt
cert acerlaptop.crt
key acerlaptop.key
ns-cert-type server
comp-lzo
verb 3


[Auto-start openvpn]
Add the following in /etc/rc.conf on the server.

openvpn_enable="YES"

If not already present, also add the following knob in /etc/rc.conf to allow the server to route between your LAN and VPN subnets.  

gateway_enable="YES"

Note: Some documentation propose adding if_tun_load="YES" to /boot/loader.conf. I found that is not necessary. Openvpn will start the required device drivers automatically. You can try adding it, if openvpn fails to start or dynamically start it at a prompt by issuing kldload if_tun.

---

The OpenVPN documentation provides more in depth explanation. It can be viewed at : http://openvpn.net/index.php/open-source/documentation/howto.html.

No comments: