======================================= freebsd openvpn server --------------------------------------- by o1 FreeBSD condo 13.1-RELEASE-p7 FreeBSD 13.1-RELEASE-p7 GENERIC amd64 ======================================= network --------------------------------------- lan igb0: 192.168.30.38/24 public igb1: 99.99.99.99/32 openvpn: 10.11.12.0/24 ======================================= add static routes to other lan machines (optional) --------------------------------------- # freebsd /etc/rc.conf static_routes="openvpn" route_openvpn="-net 10.11.12.0/24 192.168.30.38" --------------------------------------- # linux /etc/network/interfaces up route add -net 10.11.12.0/24 gw 192.168.30.38 dev enp0s3 --------------------------------------- # windows route -p ADD 10.11.12.0 MASK 255.255.255.0 192.168.30.38 ======================================= install OpenVPN --------------------------------------- pkg install openvpn ======================================= /etc/rc.conf --------------------------------------- openvpn_enable="YES" openvpn_if="tun" openvpn_configfile="/usr/local/etc/openvpn/server.conf" openvpn_dir="/usr/local/etc/openvpn/" gateway_enable="YES" ======================================= setup OpenVPN server --------------------------------------- mkdir -p /usr/local/etc/openvpn/easy-rsa cp -r /usr/local/share/easy-rsa/* /usr/local/etc/openvpn/easy-rsa/ cd /usr/local/etc/openvpn/easy-rsa easyrsa init-pki ======================================= /usr/local/etc/openvpn/easy-rsa/pki/vars --------------------------------------- set_var EASYRSA_REQ_COUNTRY "CA" set_var EASYRSA_REQ_PROVINCE "ON" set_var EASYRSA_REQ_CITY "Pickering" set_var EASYRSA_REQ_ORG "acme" set_var EASYRSA_REQ_EMAIL "you@example.com" set_var EASYRSA_REQ_OU "Imagination" set_var EASYRSA_KEY_SIZE 2048 set_var EASYRSA_CA_EXPIRE 36500 set_var EASYRSA_CERT_EXPIRE 36500 set_var EASYRSA_DIGEST "sha512" ======================================= /usr/local/etc/openvpn/server.conf --------------------------------------- port 1194 proto udp4 dev tun topology subnet user nobody group nobody ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh.pem server 10.11.12.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.30.0 255.255.255.0" keepalive 10 120 tls-crypt ta.key # This file is secret data-ciphers AES-256-GCM:AES-128-GCM data-ciphers-fallback AES-256-CBC persist-key persist-tun status openvpn-status.log verb 3 explicit-exit-notify 1 ======================================= /usr/local/etc/openvpn/client.conf --------------------------------------- client dev tun proto udp4 remote 99.99.99.99 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server mute-replay-warnings data-ciphers AES-256-GCM:AES-128-GCM data-ciphers-fallback AES-256-CBC verb 3 auth-nocache key-direction 1 ======================================= create certs --------------------------------------- cd /usr/local/etc/openvpn/easy-rsa # ca cert easyrsa build-ca nopass # server cert easyrsa build-server-full server nopass # dh.pem easyrsa gen-dh # crl.pem easyrsa gen-crl # ta.key openvpn --genkey secret /usr/local/etc/openvpn/easy-rsa/pki/ta.key ======================================= copy these files to start server --------------------------------------- cp /usr/local/etc/openvpn/easy-rsa/pki/ca.crt /usr/local/etc/openvpn/ cp /usr/local/etc/openvpn/easy-rsa/pki/dh.pem /usr/local/etc/openvpn/ cp /usr/local/etc/openvpn/easy-rsa/pki/ta.key /usr/local/etc/openvpn/ cp /usr/local/etc/openvpn/easy-rsa/pki/issued/server.crt /usr/local/etc/openvpn/ cp /usr/local/etc/openvpn/easy-rsa/pki/private/ca.key /usr/local/etc/openvpn/ cp /usr/local/etc/openvpn/easy-rsa/pki/private/server.key /usr/local/etc/openvpn/ ======================================= start openvpn server --------------------------------------- service openvpn start ======================================= create OpenVPN client certificates for each user --------------------------------------- cd /usr/local/etc/openvpn/easy-rsa easyrsa build-client-full john ======================================= assemble client.ovpn file to import into OpenVPN Client Connect --------------------------------------- cat /usr/local/etc/openvpn/client.conf > /usr/local/etc/openvpn/acme_john.ovpn echo "" >> /usr/local/etc/openvpn/acme_john.ovpn cat /usr/local/etc/openvpn/easy-rsa/pki/ta.key >> /usr/local/etc/openvpn/acme_john.ovpn echo "" >> /usr/local/etc/openvpn/acme_john.ovpn echo "" >> /usr/local/etc/openvpn/acme_john.ovpn cat /usr/local/etc/openvpn/easy-rsa/pki/ca.crt >> /usr/local/etc/openvpn/acme_john.ovpn echo "" >> /usr/local/etc/openvpn/acme_john.ovpn echo "" >> /usr/local/etc/openvpn/acme_john.ovpn cat /usr/local/etc/openvpn/easy-rsa/pki/issued/john.crt >> /usr/local/etc/openvpn/acme_john.ovpn echo "" >> /usr/local/etc/openvpn/acme_john.ovpn echo "" >> /usr/local/etc/openvpn/acme_john.ovpn cat /usr/local/etc/openvpn/easy-rsa/pki/private/john.key >> /usr/local/etc/openvpn/acme_john.ovpn echo "" >> /usr/local/etc/openvpn/acme_john.ovpn ======================================= start openvpn client on remote machine or start OpenVPN Client Connect --------------------------------------- openvpn acme_john.ovpn ======================================= :0) =======================================