Document Actions

FreeBSD Server

This setup describes the server part of setting up OpenVPN using routing. Clients connecting to the network will be on their own subnet and can connect to each other as well as the internal network. All the necessary routing will be pushed when connecting. I tried setting up bridging instead but ran into problems on my Kubuntu client.

Install

  • First install OpenVPN 
    [root@snoopy ~]#cd /usr/ports/security/openvpn
[root@snoopy /usr/ports/security/openvpn]#make install
  • Copy the easy-rsa dir over to the /usr/local/etc/openvpn/ dir 
    [root@snoopy ~]#cp -fr /usr/local/share/doc/openvpn/easy-rsa/2.0 /usr/local/etc/openvpn
[root@snoopy ~]#cd /usr/local/etc/openvpn

    Configuration

  • Edit /usr/local/etc/openvpn/vars 
    export KEY_SIZE=2048
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Schmut"
export KEY_EMAIL="mario@schmut.com"
  • Now run the initialization stuff 
    # source the vars
[root@snoopy /usr/local/etc/openvpn]#. vars

# setup key directory
[root@snoopy /usr/local/etc/openvpn]#./clean-all

# setup cert authority
[root@snoopy /usr/local/etc/openvpn]#./build-ca

# create the server key. Accept the defaults and say Y twice
[root@snoopy /usr/local/etc/openvpn]#./build-key-server server

    # i want to use tls-auth so this generates the key
[root@snoopy /usr/local/etc/openvpn]#openvpn --genkey --secret keys/ta.key

# this took about 45 minutes on my p3-733
[root@snoopy /usr/local/etc/openvpn]#openssl dhparam -out keys/dh2048.pem 2048
  • To enable openvpn add this to /etc/rc.conf 
    openvpn_enable="YES"
openvpn_if="tun" # for routing
  • Here's my server conf file /usr/local/etc/openvpn/openvpn.conf. 
    port 1194
proto udp
dev tun0
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh2048.pem
server 192.168.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt

# tell all clients about my home subnet
push "route 192.168.1.0 255.255.255.0"

client-config-dir ccd
client-to-client
keepalive 10 120
tls-auth keys/ta.key 0
cipher BF-CBC
comp-lzo
max-clients 10
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

    Clients

    This is the server side part of creating a client for my laptop "perky".

  • Create a client key. Accept the defaults and say Y twice. I do this on the server since the signing authority is here, then securely copy it to the client. 
    [root@snoopy /usr/local/etc/openvpn]#./build-key perky
  • Then i added this in /usr/local/etc/openvpn/ccd/perky. 
    ifconfig-push 192.168.10.4 192.168.10.1
    This tells perky to assume ip address 192.168.10.4 which is a PPP tunnel to 192.168.10.1. In conjunction with the
    push "route 192.168.1.0 255.255.255.0"
    from above that's all perky needs to connect to the internal home network.

    DNS
  • perky does it's own DNS resolution. If this were not the case, it would be good to push the local DNS cache out to the client so that it could resolve names on the internal network. To do this assuming your DNS cache is on 192.168.1.200, add this to /usr/local/etc/openvpn/ccd/perky as well. 
    push "dhcp-option DNS 192.168.1.200"

    Firewall

  • Now we only need to make sure 1194 doesn't get stuck in the firewall so i added this to my ipf rule set. 
    # this goes into my incoming rule set
pass in quick proto udp from any port > 1023 to any port = 1194 keep state group 200

    NAT

  • In case we use the internal gateway for some crazy routing reasons, ipnat needs to be told about the new subnet as well. So we add this to /etc/ipnat.rules. Be sure the port range doesn't collide with existing entries. 
    map ed0 192.168.10.0/24 -> 0/32 portmap tcp/udp 30001:40000
map ed0 192.168.10.0/24 -> 0/32
    For those of you scratching their heads now, normally when going to say google.com you wouldn't go there via 192.168.1.1 but rather directly. This means that 192.168.1.1 which is the internal address of my home gateway doesn't need to do address translation for anybody but computers on the internal 192.168.1 subnet. The above rule indeed says that address translation also be done for computers on the VPN subnet of 192.168.10.

    Then i went on to setup the Linux client.

    • Copyright © 2007 Mario Theodoridis. All rights reserved. Content licensed under AFL.
    Content from the underlying Plone CMS is © 2000-2007 by the Plone Foundation