=======================================
freebsd openvpn server
---------------------------------------
by o1
FreeBSD condo 13.1-RELEASE-p7 FreeBSD 13.1-RELEASE-p7 GENERIC amd64
=======================================
network
---------------------------------------
lan igb0: 192.168.30.38/24
public igb1: 99.99.99.99/32
openvpn: 10.11.12.0/24
=======================================
add static routes to other lan machines (optional)
---------------------------------------
# freebsd /etc/rc.conf
static_routes="openvpn"
route_openvpn="-net 10.11.12.0/24 192.168.30.38"
---------------------------------------
# linux /etc/network/interfaces
up route add -net 10.11.12.0/24 gw 192.168.30.38 dev enp0s3
---------------------------------------
# windows
route -p ADD 10.11.12.0 MASK 255.255.255.0 192.168.30.38
=======================================
install OpenVPN
---------------------------------------
pkg install openvpn
=======================================
/etc/rc.conf
---------------------------------------
openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/usr/local/etc/openvpn/server.conf"
openvpn_dir="/usr/local/etc/openvpn/"
gateway_enable="YES"
=======================================
setup OpenVPN server
---------------------------------------
mkdir -p /usr/local/etc/openvpn/easy-rsa
cp -r /usr/local/share/easy-rsa/* /usr/local/etc/openvpn/easy-rsa/
cd /usr/local/etc/openvpn/easy-rsa
easyrsa init-pki
=======================================
/usr/local/etc/openvpn/easy-rsa/pki/vars
---------------------------------------
set_var EASYRSA_REQ_COUNTRY "CA"
set_var EASYRSA_REQ_PROVINCE "ON"
set_var EASYRSA_REQ_CITY "Pickering"
set_var EASYRSA_REQ_ORG "acme"
set_var EASYRSA_REQ_EMAIL "you@example.com"
set_var EASYRSA_REQ_OU "Imagination"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_CA_EXPIRE 36500
set_var EASYRSA_CERT_EXPIRE 36500
set_var EASYRSA_DIGEST "sha512"
=======================================
/usr/local/etc/openvpn/server.conf
---------------------------------------
port 1194
proto udp4
dev tun
topology subnet
user nobody
group nobody
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh.pem
server 10.11.12.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.30.0 255.255.255.0"
keepalive 10 120
tls-crypt ta.key # This file is secret
data-ciphers AES-256-GCM:AES-128-GCM
data-ciphers-fallback AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
=======================================
/usr/local/etc/openvpn/client.conf
---------------------------------------
client
dev tun
proto udp4
remote 99.99.99.99 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
mute-replay-warnings
data-ciphers AES-256-GCM:AES-128-GCM
data-ciphers-fallback AES-256-CBC
verb 3
auth-nocache
key-direction 1
=======================================
create certs
---------------------------------------
cd /usr/local/etc/openvpn/easy-rsa
# ca cert
easyrsa build-ca nopass
# server cert
easyrsa build-server-full server nopass
# dh.pem
easyrsa gen-dh
# crl.pem
easyrsa gen-crl
# ta.key
openvpn --genkey secret /usr/local/etc/openvpn/easy-rsa/pki/ta.key
=======================================
copy these files to start server
---------------------------------------
cp /usr/local/etc/openvpn/easy-rsa/pki/ca.crt /usr/local/etc/openvpn/
cp /usr/local/etc/openvpn/easy-rsa/pki/dh.pem /usr/local/etc/openvpn/
cp /usr/local/etc/openvpn/easy-rsa/pki/ta.key /usr/local/etc/openvpn/
cp /usr/local/etc/openvpn/easy-rsa/pki/issued/server.crt /usr/local/etc/openvpn/
cp /usr/local/etc/openvpn/easy-rsa/pki/private/ca.key /usr/local/etc/openvpn/
cp /usr/local/etc/openvpn/easy-rsa/pki/private/server.key /usr/local/etc/openvpn/
=======================================
start openvpn server
---------------------------------------
service openvpn start
=======================================
create OpenVPN client certificates for each user
---------------------------------------
cd /usr/local/etc/openvpn/easy-rsa
easyrsa build-client-full john
=======================================
assemble client.ovpn file to import into OpenVPN Client Connect
---------------------------------------
cat /usr/local/etc/openvpn/client.conf > /usr/local/etc/openvpn/acme_john.ovpn
echo "" >> /usr/local/etc/openvpn/acme_john.ovpn
cat /usr/local/etc/openvpn/easy-rsa/pki/ta.key >> /usr/local/etc/openvpn/acme_john.ovpn
echo "" >> /usr/local/etc/openvpn/acme_john.ovpn
echo "" >> /usr/local/etc/openvpn/acme_john.ovpn
cat /usr/local/etc/openvpn/easy-rsa/pki/ca.crt >> /usr/local/etc/openvpn/acme_john.ovpn
echo "" >> /usr/local/etc/openvpn/acme_john.ovpn
echo "" >> /usr/local/etc/openvpn/acme_john.ovpn
cat /usr/local/etc/openvpn/easy-rsa/pki/issued/john.crt >> /usr/local/etc/openvpn/acme_john.ovpn
echo "" >> /usr/local/etc/openvpn/acme_john.ovpn
echo "" >> /usr/local/etc/openvpn/acme_john.ovpn
cat /usr/local/etc/openvpn/easy-rsa/pki/private/john.key >> /usr/local/etc/openvpn/acme_john.ovpn
echo "" >> /usr/local/etc/openvpn/acme_john.ovpn
=======================================
start openvpn client on remote machine or start OpenVPN Client Connect
---------------------------------------
openvpn acme_john.ovpn
=======================================
:0)
=======================================