Home FreeBSD FreeBSD: openvpn 2.3.4 server on FreeBSD 10

FreeBSD: openvpn 2.3.4 server on FreeBSD 10

by Kliment Andreev
6.4K views

In this post I’ll describe how to install openvpn running as a server on FreeBSD 10 and then how to use a Windows 7 client to connect to it. The FreeBSD in my case runs in the cloud (public IP) and the Windows 7 runs at home.

First, let’s install openvpn.

cd /usr/ports/security/openvpn
make all install clean

Accept the defaults for openvpn and lzo compression utility.



Once completed, edit /etc/rc.conf and add

openvpn_enable="YES"

Go to

cd /usr/local/etc/rc.d
./openvpn

This is how you start, stop openvpn.

Before we can start openvpn, we need the configuration file.

cd /usr/local/etc
mkdir openvpn
cd /usr/local/share/examples/openvpn/sample-config-files/
cp server.conf /usr/local/etc/openvpn/openvpn.conf

Edit this file if you want to change something, in my case I didn’t have to change anything.

openvpn relies on certificates, so we can generate them like this.

cd /usr/local/share/easy-rsa/
sh
. ./vars
./clean-all
./build-ca

See the example below for my settings, it’s pretty much self-explanatory. If you want a blank value, use “.” (dot).

That was the certificate authority, now we need a server certificate.

./build-key-server server

Same thing, see the example below. At the end, sign the certificate by typing “y”.

Now, let’s create a certificate for one client. In my case, the hostname is liquid. The name of the client host doesn’t matter, it’s more like a unique description, but make sure that the common name is unique. Otherwise, you’ll receive an error saying “failed to update database, TXT_DB error number 2“.Sign the certificate as well.

./build-key liquid

Finally, build the certificate parameters.

./build-dh

Now that the certificates are generated, go to that folder and copy the certificate to our openvpn config folder.

cd /usr/local/share/easy-rsa/keys
cp server.crt /usr/local/etc/openvpn/
cp dh1024.pem /usr/local/etc/openvpn/
cp server.key /usr/local/etc/openvpn/
cp ca.crt /usr/local/etc/openvpn/

At this point, we can start the openvpn server.

/usr/local/etc/rc.d/openvpn start

Check /var/log/messages for any errors.

In case you want to revoke the client certificate for client liquid, do:

cd /usr/local/share/easy-rsa
sh
. ./vars
./revoke-full liquid

Once we have the server up and running, we should configure the client.
On your Windows machine, install the openvpn from here.

Go to C:\Program Files\OpenVPN and copy the client.ovpn file from sample-config folder to the config folder.


Edit the client.ovpn file and change the values for the server and the path to the client certificates. In my case I had to specify mycloudserver.org and I’ve decided to keep the certificates under c:\keys. (Note: use double back-slash). If you are having problems saving the file under C:\Program Files, save it on the desktop first and then manually copy it over to C:\Program Files\OpenVPN\config folder.

Copy these three files from the server (/usr/local/share/easy-rsa/keys) under c:\keys folder on your Windows 7 machine.

Then, make sure that openvpn executables always start with full admin privileges. Go to the bin folder, right click each executable, click Properties and check Run this program as administrator.


The OpenVPN GUI creates an icon in the tray, right-click that icon and click Connect.

If everything is fine, you should see that openvpn client is connected and that you can ping the server. In case something is wrong, right-click the same OpenVPN GUI icon and choose View log. If you have a firewall enabled, allow port 1194 UDP.

Related Articles

Leave a Comment

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More