{"id":1843,"date":"2018-12-31T21:22:14","date_gmt":"2018-12-31T18:22:14","guid":{"rendered":"http:\/\/kifarunix.com\/?p=1843"},"modified":"2018-12-31T21:22:14","modified_gmt":"2018-12-31T18:22:14","slug":"install-and-configure-openvpn-server-freebsd-12","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-configure-openvpn-server-freebsd-12\/","title":{"rendered":"Install and Configure OpenVPN Server FreeBSD 12"},"content":{"rendered":"<p>Welcome to our yet another guide on how install and configure OpenVPN server FreeBSD 12. We learnt how to <a href=\"https:\/\/kifarunix.com\/install-and-setup-openvpn-server-on-fedora-29-centos-7\/\" target=\"_blank\" rel=\"noopener\">install and setup OpenVPN Server on Fedora 29\/CentOS 7<\/a> on our previous guide.<\/p>\n<h2>Install and Configure OpenVPN Server FreeBSD 12<\/h2>\n<p>To kick off with, you need to update your FreeBSD 12 package repository.<\/p>\n<pre>pkg update<\/code><\/pre>\n<p>Install OpenVPN and Easy-RSA packages<\/p>\n<pre>pkg install openvpn easy-rsa<\/code><\/pre>\n<p>Create a directory to store the server configuration files, the CA, server keys and certificate files.<\/p>\n<pre>mkdir -p \/usr\/local\/etc\/openvpn\/easy-rsa<\/code><\/pre>\n<pre>mkdir \/usr\/local\/etc\/openvpn\/server<\/code><\/pre>\n<p>Copy the sample OpenVPN and Easy-RSA sample configuration files to the respective configuration directories created above.<\/p>\n<pre>cp \/usr\/local\/share\/examples\/openvpn\/sample-config-files\/server.conf \/usr\/local\/etc\/openvpn\/server\/<\/code><\/pre>\n<pre>cp -r \/usr\/local\/share\/easy-rsa\/* \/usr\/local\/etc\/openvpn\/easy-rsa\/<\/code><\/pre>\n<h3>Generate the Local CA, Keys and Certificate files with EasyRSA<\/h3>\n<p>The certificate variables are set in the <code>\/usr\/local\/etc\/openvpn\/easy-rsa\/vars<\/code> file. In order to ease the generation of the certificate, edit this file, uncomment and adjust the certificate values as follows;<\/p>\n<pre>vim \/usr\/local\/etc\/openvpn\/easy-rsa\/vars<\/code><\/pre>\n<pre>set_var EASYRSA_REQ_COUNTRY\t\"KE\"\r\nset_var EASYRSA_REQ_PROVINCE\t\"Nairobi\"\r\nset_var EASYRSA_REQ_CITY\t\"Nairobi\"\r\nset_var EASYRSA_REQ_ORG\t\t\"Kifarunix\"\r\nset_var EASYRSA_REQ_EMAIL\t\"admin@kifarunix.com\"\r\nset_var EASYRSA_REQ_OU\t\t\"Infrastructure\"\r\nset_var EASYRSA_KEY_SIZE\t2048\r\nset_var EASYRSA_CA_EXPIRE\t3650\r\nset_var EASYRSA_CERT_EXPIRE\t3650<\/code><\/pre>\n<p>Easy-RSA ships with certificate generation script called <code>easyrsa.real<\/code>. To generare the certificate files, navigate to <code>\/usr\/local\/etc\/openvpn\/easy-rsa\/<\/code> directory and proceed as follows;<\/p>\n<p>Initialize the PKI<\/p>\n<pre>cd \/usr\/local\/etc\/openvpn\/easy-rsa<\/code><\/pre>\n<pre>sh .\/easyrsa.real init-pki\r\nNote: using Easy-RSA configuration from: .\/vars\r\n\r\ninit-pki complete; you may now create a CA or requests.\r\nYour newly created PKI dir is: \/usr\/local\/etc\/openvpn\/easy-rsa\/pki<\/code><\/pre>\n<p>Build the CA certificate by running the command below. Set the CN and encryption password when prompted.<strong><br \/>\n<\/strong><\/p>\n<pre>sh .\/easyrsa.real build-ca<\/code><\/pre>\n<p>Generate a key and certificate file for the server and client.<\/p>\n<pre>sh .\/easyrsa.real build-server-full server nopass<\/code><\/pre>\n<pre>sh .\/easyrsa.real build-client-full client nopass<\/code><\/pre>\n<p>Generate Diffie-Hellman key file that can be used during the TLS handshake with connecting clients.<\/p>\n<pre><code class=\"language-shell\" data-lang=\"shell\">sh .\/easyrsa.real gen-dh<\/code><\/pre>\n<p>In case you need to invalidate a previously signed certificate, generate a revocation certificate.<\/p>\n<pre>sh .\/easyrsa.real gen-crl<\/code><\/pre>\n<p>Generate TLS\/SSL pre-shared authentication key<\/p>\n<pre>openvpn --genkey --secret \/usr\/local\/etc\/openvpn\/easy-rsa\/pki\/ta.key<\/code><\/pre>\n<p>Copy all the server keys and certificates from <code>\/usr\/local\/etc\/openvpn\/easy-rsa\/pki\/<\/code> to configuration directory created above.<\/p>\n<pre>cp -r \/usr\/local\/etc\/openvpn\/easy-rsa\/pki\/{ca.crt,dh.pem,ta.key,issued,private} \/usr\/local\/etc\/openvpn\/server\/<\/code><\/pre>\n<h2>Configure OpenVPN Server<\/h2>\n<p>Edit the server configuration file such that it looks the below without comments;<\/p>\n<pre>vim \/usr\/local\/etc\/openvpn\/server\/server.conf<\/code><\/pre>\n<pre>port 1194\r\nproto udp\r\ndev tun\r\nca \/usr\/local\/etc\/openvpn\/server\/ca.crt\r\ncert \/usr\/local\/etc\/openvpn\/server\/issued\/server.crt\r\nkey \/usr\/local\/etc\/openvpn\/server\/private\/server.key\r\ndh \/usr\/local\/etc\/openvpn\/server\/dh.pem\r\ntopology subnet\r\nserver 10.8.0.0 255.255.255.0\r\nifconfig-pool-persist ipp.txt\r\npush \"redirect-gateway def1 bypass-dhcp\"\r\npush \"dhcp-option DNS 208.67.222.222\"\r\npush \"dhcp-option DNS 208.67.220.220\"\r\nkeepalive 10 120\r\ntls-auth ta.key 0 # This file is secret\r\ncipher AES-256-CBC\r\ncomp-lzo\r\nuser nobody\r\ngroup nobody\r\npersist-key\r\npersist-tun\r\nstatus \/var\/log\/openvpn\/openvpn-status.log\r\nlog-append  \/var\/log\/openvpn\/openvpn.log\r\nverb 3\r\nexplicit-exit-notify 1\r\nauth sha512\r\nremote-cert-tls client<\/code><\/pre>\n<p>Create the log directory;<\/p>\n<pre>mkdir \/var\/log\/openvpn\/<\/code><\/pre>\n<h3>Configure Routing<\/h3>\n<p>Run the command below to configure IPv4 NAT routing. This enables the <code>ipfw<\/code> firewall which is needed for <code>natd<\/code><\/p>\n<pre>cat &lt;&lt; EOF &gt;&gt; \/etc\/rc.conf\r\nfirewall_enable=\"YES\"\r\nfirewall_type=\"open\"\r\ngateway_enable=\"YES\"\r\nnatd_enable=\"YES\"\r\nnatd_interface=\"em1\"\r\nnatd_flags=\"-dynamic -m\"\r\nEOF<\/code><\/pre>\n<p>Reboot the server to effect the changes made above.<\/p>\n<pre>reboot<\/code><\/pre>\n<p>Start and set OpenVPN start on boot.<\/p>\n<pre>sysrc openvpn_enable=YES\r\nsysrc openvpn_configfile=\"\/usr\/local\/etc\/openvpn\/server\/server.conf\"<\/code><\/pre>\n<pre>service openvpn start<\/code><\/pre>\n<p>Verify that OpenVPN is running and listening on UDP port 1194.<\/p>\n<pre>sockstat -4 -l | grep 1194\r\nnobody   openvpn    2824  6  udp46  *:1194                *:*<\/code><\/pre>\n<p>Verify that the interface has been created.<\/p>\n<pre>ifconfig\r\n...\r\ntun0: flags=8051&lt;UP,POINTOPOINT,RUNNING,MULTICAST&gt; metric 0 mtu 1500\r\n\toptions=80000&lt;LINKSTATE&gt;\r\n\tinet6 fe80::a00:27ff:fe06:ec18%tun0 prefixlen 64 tentative scopeid 0x4 \r\n\tinet 10.8.0.1 --&gt; 10.8.0.2 netmask 0xffffff00 \r\n\tgroups: tun \r\n\tnd6 options=29&lt;PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL&gt;\r\n\tOpened by PID 2824<\/code><\/pre>\n<h2>Configure the Client<\/h2>\n<p>Copy the CA , TLS\/SSL auth key file and the client key and certificate file to the client.<\/p>\n<pre>\/usr\/local\/etc\/openvpn\/server\/ca.crt\r\n\/usr\/local\/etc\/openvpn\/server\/issued\/client.crt\r\n\/usr\/local\/etc\/openvpn\/server\/private\/client.key\r\n\/usr\/local\/etc\/openvpn\/server\/ta.key<\/code><\/pre>\n<p>Create the client configuration file<\/p>\n<pre>cat &lt;&lt; EOF &gt; client.ovpn\r\nclient\r\ntls-client\r\npull\r\ndev tun\r\nproto udp\r\nremote 192.168.43.12 1194\r\nresolv-retry infinite\r\nnobind\r\ndhcp-option DNS 208.67.222.222\r\nuser nobody\r\ngroup nogroup\r\npersist-key\r\npersist-tun\r\nkey-direction 1\r\ntls-auth ta.key 1\r\ncomp-lzo\r\nverb 3\r\nca ca.crt\r\ncert client.crt\r\nkey client.key\r\nauth SHA512\r\nremote-cert-tls server\r\nEOF<\/code><\/pre>\n<p>To connect to VPN server from a Linux system, run the command below;<\/p>\n<pre>sudo openvpn client.ovpn<\/code><\/pre>\n<p>Magnificent!! That is all it takes to install and configure OpenVPN server FreeBSD 12. Thank you for reading.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Welcome to our yet another guide on how install and configure OpenVPN server FreeBSD 12. We learnt how to install and setup OpenVPN Server on<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[280,121,282],"tags":[],"class_list":["post-1843","post","type-post","status-publish","format-standard","hentry","category-freebsd","category-howtos","category-openvpn","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/1843"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=1843"}],"version-history":[{"count":3,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/1843\/revisions"}],"predecessor-version":[{"id":1846,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/1843\/revisions\/1846"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=1843"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=1843"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=1843"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}