How do you setup OpenVPN with FreeBSD + PF and Windows?
I need to setup an OpenVPN server to provide access to my linux vps hosting cluster , giving windows clients access to the internal network. Does anyone know how to do this?
OpenVPN with FreeBSD, PF and Windows
This howto is a quick a dirty guide to building OpenVPN on a FreeBSD box (running pf as the firewall), and then connecting a Windows XP client to it. Server Install
[edit] Install the port
cd /usr/ports/security/openvpn
make install
[edit] Start setting stuff up
First edit your /etc/rc.conf and add the following line:-
openvpn_enable=”YES”
Now create the config files, which we will place in /usr/local/etc/openvpn:-
cd /usr/local/etc/
mkdir openvpn
cd openvpn
vim openvpn.conf
Place this into your config file:-
# Specify device
dev tun
# Server and client IP and Pool
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# Certificates for VPN Authentication
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/server.crt
key /usr/local/etc/openvpn/keys/server.key
dh /usr/local/etc/openvpn/keys/dh1024.pem
# Routes to push to the client
push "route 192.168.0.0 255.255.255.0"
# Use compression on the VPN link
comp-lzo
# Make the link more resistant to connection failures
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
# Run OpenVPN as a daemon and drop privileges to user/group nobody user nobody
group nobody
daemon
[edit] Creating Certificates
cp -r /usr/local/share/doc/openvpn/easy-rsa /home/myuser/ cd /home/myuser/easy-rsa
Now edit the “vars” file to set your specific details and set the environment variables you have just created and build the Certificate Authority certificates:-
NOTE: Very Important Step for FreeBSD/TCSH users
FreeBSD ships with tcsh as its native shell, at the time of writing the following scripts do not work. To get around this you must drop down to a bourne shell. To do this just type the following at a prompt:-
sh
Now you can carry on with building the certificates, once you have built them you can exit back out to tcsh.
. vars
./clean-all
./build-ca
You will have to answer a few questions on the last step, once this has been done your CA certs will be created in the keys subdirectory.
Generate certificate & key for server:-
./build-key-server server
Again answer the questions and the certs will be placed in the keys subdirectory.
Generate certificates & keys for 3 clients (each client will require their own certificates, if multiple clients log in with the same certs then they will be assigned the same ips and will kick each other off the network):-
Generating client certificates is very similar to the previous step. You need to ensure that all your details are the same as for the CA, apart from the common name, which needs to be different for each client. For the sake of clarity this should relate to person who is assigned this vpn certificate. All of these details can be found in keys/server.crt for the server and keys/client*.crt for the client details.
./build-key client1
./build-key client2
./build-key client3
Generate Diffie Hellman parameters
Diffie Hellman parameters must be generated for the OpenVPN server:-
./build-dh
Now copy the whole keys directory to /usr/local/etc/openvpn:-
cp -r keys /usr/local/etc/openvpn/
[edit] Logging
Before starting OpenVPN I also moved the logging (which defaults to /var/log/messages). Edit syslog.conf:-
vim /etc/syslog.conf
Add the following entry:-
!openvpn
*.* /var/log/openvpn.log
Create log file:-
touch /var/log/openvpn.log
Restart syslogd:-
killall -HUP syslogd
Now start OpenVPN:-
/usr/local/etc/rc.d/openvpn.sh start
Check /var/log/openvpn.log for errors, then check that the device has been created. Mine looks like this:-
[achilles] ~# ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet6 fe80::2d0:b7ff:fe49:b2bb%tun0 prefixlen 64 scopeid 0×5
inet 10.8.0.1 –> 10.8.0.2 netmask 0xffffffff
Opened by PID 43878
[edit] Firewall Configuration
Now we need to alter PF to handle the VPN, below are the relevant sections of my /etc/pf.conf file:-
# VPN Interface
vpn_if="tun0"
# VPN Network
vpn_network="10.8.0.0/24"
# NAT the VPN connections (for access to the remote secure networks)
nat on $ext_if from $vpn_network to any -> ($ext_if)
# VPN connections inbound
pass in on $ext_if proto udp from any to port 1194 keep state
pass quick on $vpn_if
Now restart PF and your server will be ready for connections
[edit] Client setup
First download and install the GUI version of the client, which can be found here:-
http://www.openvpn.se
Once this is installed you will need to copy the following files from your server /usr/local/etc/openvpn/keys directory to the Windows PC C:\Program Files\Openvpn\config directory (this should be done in as secure a manner as possible, i.e. USB Stick or floppy rather than email!!!):-
ca.crt
client1.crt
client1.key
NOTE: For the next client you will need to copy the client2.crt and client2.key files to prevent issues later.
OpenVPN with FreeBSD, PF and Windows
This howto is a quick a dirty guide to building OpenVPN on a FreeBSD box (running pf as the firewall), and then connecting a Windows XP client to it. Server Install
[edit] Install the port
cd /usr/ports/security/openvpn
make install
[edit] Start setting stuff up
First edit your /etc/rc.conf and add the following line:-
openvpn_enable=”YES”
Now create the config files, which we will place in /usr/local/etc/openvpn:-
cd /usr/local/etc/
mkdir openvpn
cd openvpn
vim openvpn.conf
Place this into your config file:-
# Specify device
dev tun
# Server and client IP and Pool
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# Certificates for VPN Authentication
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/server.crt
key /usr/local/etc/openvpn/keys/server.key
dh /usr/local/etc/openvpn/keys/dh1024.pem
# Routes to push to the client
push "route 192.168.0.0 255.255.255.0"
# Use compression on the VPN link
comp-lzo
# Make the link more resistant to connection failures
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
# Run OpenVPN as a daemon and drop privileges to user/group nobody user nobody
group nobody
daemon
[edit] Creating Certificates
cp -r /usr/local/share/doc/openvpn/easy-rsa /home/myuser/ cd /home/myuser/easy-rsa
Now edit the “vars” file to set your specific details and set the environment variables you have just created and build the Certificate Authority certificates:-
NOTE: Very Important Step for FreeBSD/TCSH users
FreeBSD ships with tcsh as its native shell, at the time of writing the following scripts do not work. To get around this you must drop down to a bourne shell. To do this just type the following at a prompt:-
sh
Now you can carry on with building the certificates, once you have built them you can exit back out to tcsh.
. vars
./clean-all
./build-ca
You will have to answer a few questions on the last step, once this has been done your CA certs will be created in the keys subdirectory.
Generate certificate & key for server:-
./build-key-server server
Again answer the questions and the certs will be placed in the keys subdirectory.
Generate certificates & keys for 3 clients (each client will require their own certificates, if multiple clients log in with the same certs then they will be assigned the same ips and will kick each other off the network):-
Generating client certificates is very similar to the previous step. You need to ensure that all your details are the same as for the CA, apart from the common name, which needs to be different for each client. For the sake of clarity this should relate to person who is assigned this vpn certificate. All of these details can be found in keys/server.crt for the server and keys/client*.crt for the client details.
./build-key client1
./build-key client2
./build-key client3
Generate Diffie Hellman parameters
Diffie Hellman parameters must be generated for the OpenVPN server:-
./build-dh
Now copy the whole keys directory to /usr/local/etc/openvpn:-
cp -r keys /usr/local/etc/openvpn/
[edit] Logging
Before starting OpenVPN I also moved the logging (which defaults to /var/log/messages). Edit syslog.conf:-
vim /etc/syslog.conf
Add the following entry:-
!openvpn
*.* /var/log/openvpn.log
Create log file:-
touch /var/log/openvpn.log
Restart syslogd:-
killall -HUP syslogd
Now start OpenVPN:-
/usr/local/etc/rc.d/openvpn.sh start
Check /var/log/openvpn.log for errors, then check that the device has been created. Mine looks like this:-
[achilles] ~# ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet6 fe80::2d0:b7ff:fe49:b2bb%tun0 prefixlen 64 scopeid 0×5
inet 10.8.0.1 –> 10.8.0.2 netmask 0xffffffff
Opened by PID 43878
[edit] Firewall Configuration
Now we need to alter PF to handle the VPN, below are the relevant sections of my /etc/pf.conf file:-
# VPN Interface
vpn_if="tun0"
# VPN Network
vpn_network="10.8.0.0/24"
# NAT the VPN connections (for access to the remote secure networks)
nat on $ext_if from $vpn_network to any -> ($ext_if)
# VPN connections inbound
pass in on $ext_if proto udp from any to port 1194 keep state
pass quick on $vpn_if
Now restart PF and your server will be ready for connections
[edit] Client setup
First download and install the GUI version of the client, which can be found here:-
http://www.openvpn.se
Once this is installed you will need to copy the following files from your server /usr/local/etc/openvpn/keys directory to the Windows PC C:\Program Files\Openvpn\config directory (this should be done in as secure a manner as possible, i.e. USB Stick or floppy rather than email!!!):-
ca.crt
client1.crt
client1.key
NOTE: For the next client you will need to copy the client2.crt and client2.key files to prevent issues later.
References :
http://www.stardothosting.com/linux-vps-hosting