=======================================
freebsd openvpn server
---------------------------------------
FreeBSD condo 13.1-RELEASE-p7 FreeBSD 13.1-RELEASE-p7 GENERIC amd64
OpenVPN uses certificates that expire at regular intervals thus requires
regeneration of new certificates. Deployment and user management can be
cumbersome.
WireGuard does not use certificates the same way. It uses public/private
keypairs for authentication similar to ssh. Nothing expires. Deployment
and user management is extremely easy and simple.
=======================================
network
---------------------------------------
lan igb0: 192.168.30.38/24
public igb1: 99.99.99.99/32
openvpn: 10.11.12.0/24
=======================================
add static routes to other lan machines (optional)
---------------------------------------
# freebsd /etc/rc.conf
static_routes="openvpn"
route_openvpn="-net 10.11.12.0/24 192.168.30.38"
---------------------------------------
# linux /etc/network/interfaces
up route add -net 10.11.12.0/24 gw 192.168.30.38 dev enp0s3
---------------------------------------
# windows
route -p ADD 10.11.12.0 MASK 255.255.255.0 192.168.30.38
=======================================
install OpenVPN
---------------------------------------
pkg install openvpn
=======================================
/etc/rc.conf
---------------------------------------
openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/usr/local/etc/openvpn/server.conf"
openvpn_dir="/usr/local/etc/openvpn/"
gateway_enable="YES"
=======================================
setup OpenVPN server
---------------------------------------
mkdir -p /usr/local/etc/openvpn/easy-rsa
cp -r /usr/local/share/easy-rsa/* /usr/local/etc/openvpn/easy-rsa/
cd /usr/local/etc/openvpn/easy-rsa
easyrsa init-pki
=======================================
/usr/local/etc/openvpn/easy-rsa/pki/vars
---------------------------------------
set_var EASYRSA_REQ_COUNTRY "CA"
set_var EASYRSA_REQ_PROVINCE "ON"
set_var EASYRSA_REQ_CITY "Pickering"
set_var EASYRSA_REQ_ORG "acme"
set_var EASYRSA_REQ_EMAIL "you@example.com"
set_var EASYRSA_REQ_OU "Imagination"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_CA_EXPIRE 36500
set_var EASYRSA_CERT_EXPIRE 36500
set_var EASYRSA_DIGEST "sha512"
=======================================
/usr/local/etc/openvpn/server.conf
---------------------------------------
port 1194
proto udp4
dev tun
topology subnet
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh.pem
server 10.10.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.30.0 255.255.255.0"
client-config-dir ccd
client-to-client
keepalive 10 120
tls-crypt ta.key # This file is secret
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
crl-verify crl.pem
=======================================
/usr/local/etc/openvpn/client.conf
---------------------------------------
client
dev tun
proto udp4
remote 99.99.99.99 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
mute-replay-warnings
cipher AES-256-CBC
verb 3
auth-nocache
key-direction 1
=======================================
create certs
---------------------------------------
cd /usr/local/etc/openvpn/easy-rsa
# ca cert
easyrsa build-ca nopass
# server cert
easyrsa build-server-full server nopass
# dh.pem
easyrsa gen-dh
# crl.pem
easyrsa gen-crl
# ta.key
openvpn --genkey secret /usr/local/etc/openvpn/easy-rsa/pki/ta.key
=======================================
copy these files to start server
---------------------------------------
cp /usr/local/etc/openvpn/easy-rsa/pki/ca.crt /usr/local/etc/openvpn/
cp /usr/local/etc/openvpn/easy-rsa/pki/dh.pem /usr/local/etc/openvpn/
cp /usr/local/etc/openvpn/easy-rsa/pki/ta.key /usr/local/etc/openvpn/
cp /usr/local/etc/openvpn/easy-rsa/pki/issued/server.crt /usr/local/etc/openvpn/
cp /usr/local/etc/openvpn/easy-rsa/pki/private/ca.key /usr/local/etc/openvpn/
cp /usr/local/etc/openvpn/easy-rsa/pki/private/server.key /usr/local/etc/openvpn/
=======================================
start openvpn server
---------------------------------------
service openvpn start
=======================================
create OpenVPN client certificates for each user
---------------------------------------
cd /usr/local/etc/openvpn/easy-rsa
easyrsa build-client-full john
=======================================
assemble client.ovpn file to import into OpenVPN Client Connect
---------------------------------------
cat /usr/local/etc/openvpn/client.conf > /usr/local/etc/openvpn/acme_john.ovpn
echo "" >> /usr/local/etc/openvpn/acme_john.ovpn
cat /usr/local/etc/openvpn/easy-rsa/pki/ta.key >> /usr/local/etc/openvpn/acme_john.ovpn
echo "" >> /usr/local/etc/openvpn/acme_john.ovpn
echo "" >> /usr/local/etc/openvpn/acme_john.ovpn
cat /usr/local/etc/openvpn/easy-rsa/pki/ca.crt >> /usr/local/etc/openvpn/acme_john.ovpn
echo "" >> /usr/local/etc/openvpn/acme_john.ovpn
echo "" >> /usr/local/etc/openvpn/acme_john.ovpn
cat /usr/local/etc/openvpn/easy-rsa/pki/issued/john.crt >> /usr/local/etc/openvpn/acme_john.ovpn
echo "" >> /usr/local/etc/openvpn/acme_john.ovpn
echo "" >> /usr/local/etc/openvpn/acme_john.ovpn
cat /usr/local/etc/openvpn/easy-rsa/pki/private/john.key >> /usr/local/etc/openvpn/acme_john.ovpn
echo "" >> /usr/local/etc/openvpn/acme_john.ovpn
=======================================
start openvpn client on remote machine or start OpenVPN Client Connect
---------------------------------------
openvpn acme_john.ovpn
=======================================
:0)
=======================================