You are here: Home how to... OpenVPN FreeBSD Server

FreeBSD Server

This setup describes the server part of setting up OpenVPN using routing. Clients connecting to the network will be on their own subnet and can connect to each other as well as the internal network. All the necessary routing will be pushed when connecting. I tried setting up bridging instead but ran into problems on my Kubuntu client.


  • First install OpenVPN
    [root@snoopy ~]#cd /usr/ports/security/openvpn
    [root@snoopy /usr/ports/security/openvpn]#make install
  • Copy the easy-rsa dir over to the /usr/local/etc/openvpn/ dir
    [root@snoopy ~]#cp -fr /usr/local/share/doc/openvpn/easy-rsa/2.0 /usr/local/etc/openvpn
    [root@snoopy ~]#cd /usr/local/etc/openvpn


  • Edit /usr/local/etc/openvpn/vars
    export KEY_SIZE=2048
    export KEY_COUNTRY="US"
    export KEY_PROVINCE="CA"
    export KEY_CITY="SanFrancisco"
    export KEY_ORG="Schmut"
    export KEY_EMAIL=""
  • Now run the initialization stuff
    # source the vars
    [root@snoopy /usr/local/etc/openvpn]#. vars

    # setup key directory
    [root@snoopy /usr/local/etc/openvpn]#./clean-all

    # setup cert authority
    [root@snoopy /usr/local/etc/openvpn]#./build-ca

    # create the server key. Accept the defaults and say Y twice
    [root@snoopy /usr/local/etc/openvpn]#./build-key-server server
    # i want to use tls-auth so this generates the key
    [root@snoopy /usr/local/etc/openvpn]#openvpn --genkey --secret keys/ta.key

    # this took about 45 minutes on my p3-733
    [root@snoopy /usr/local/etc/openvpn]#openssl dhparam -out keys/dh2048.pem 2048

  • To enable openvpn add this to /etc/rc.conf
    openvpn_if="tun" # for routing
  • To enable certificate revocation, i need to make the crl.pem readable by nobody. Since i don't want everybody in the keys directory and revoke-full throws it in there, i add an extra hard link.
  • [root@snoopy /usr/local/etc/openvpn]#ln keys/crl.pem .
  • Here's my server conf file /usr/local/etc/openvpn/openvpn.conf.
    port 1194
    proto udp
    dev tun0
    ca keys/ca.crt
    cert keys/server.crt
    key keys/server.key
    dh keys/dh2048.pem
    ifconfig-pool-persist ipp.txt

    # tell all clients about my home subnet
    push "route"

    crl-verify crl.pem
    client-config-dir ccd
    keepalive 10 120
    tls-auth keys/ta.key 0
    cipher BF-CBC
    max-clients 10
    user nobody
    group nobody
    status openvpn-status.log
    verb 3


    This is the server side part of creating a client for my laptop "perky".

  • Create a client key. Accept the defaults and say Y twice. I do this on the server since the signing authority is here, then securely copy it to the client.
    [root@snoopy /usr/local/etc/openvpn]#./build-key perky
  • Then i added this in /usr/local/etc/openvpn/ccd/perky.
    This tells perky to assume ip address which is a PPP tunnel to In conjunction with the
    push "route"
    from above that's all perky needs to connect to the internal home network.


  • perky does it's own DNS resolution. If this were not the case, it would be good to push the local DNS cache out to the client so that it could resolve names on the internal network. To do this assuming your DNS cache is on, add this to /usr/local/etc/openvpn/ccd/perky as well.
  • push "dhcp-option DNS"



  • To revoke a cert simply call
  • [root@snoopy /usr/local/etc/openvpn]#./revoke-full perky


  • Now we only need to make sure 1194 doesn't get stuck in the firewall so i added this to my ipf rule set.
    # this goes into my incoming rule set
    pass in quick proto udp from any port > 1023 to any port = 1194 keep state group 200


  • In case we use the internal gateway for some crazy routing reasons, ipnat needs to be told about the new subnet as well. So we add this to /etc/ipnat.rules. Be sure the port range doesn't collide with existing entries.
    map ed0 -> 0/32 portmap tcp/udp 30001:40000
    map ed0 -> 0/32
    For those of you scratching their heads now, normally when going to say you wouldn't go there via but rather directly. This means that which is the internal address of my home gateway doesn't need to do address translation for anybody but computers on the internal 192.168.1 subnet. The above rule indeed says that address translation also be done for computers on the VPN subnet of 192.168.10.

    Then i went on to setup the Linux client.

  • Document Actions

    Copyright © 2007-2015 Mario Theodoridis. All rights reserved. Content licensed under AFL.   Impressum   Datenschutz
    Content from the underlying Plone CMS is © 2000-2009 by the Plone Foundation