Getting OpenVPN to play nice with FreeBSD was not as easy as I normally
get from a FreeBSD port
This is due to both my learning on the fly and lack of good
BSD related documentation
These first notes are how I accomplished it under FreeBSD 6.x Here's
some notes for my recent work with OpenVPN under FreeBSD 7.2
I hope it helps you
Feel free to use/share/mod
Sorry it's not yet all that perty
I used/did
FreeBSD 6.2
portsnap
cd /usr/ports/security/openvpn
make install clean
I like to copy the scripts to
/etc/openvpn
cd /usr/local/share/doc/openvpn/easy-rsa
mkdir /etc/openvpn
cp -R * /etc/openvpn
cd /etc/openvpn
Edit vars to your environment (http://openvpn.net/howto.html)
Now run the scripts. They are
bash scripts !!
sh
. ./vars
sh ./clean-all
sh ./build-ca
sh ./build-key-server server
sh ./build-key-pass client
sh ./build-dh (takes a while, grab a drink/chill)
Copy/Edit the config. I like to
keep the openvpn.conf in the normal configuration location. Edit
/usr/local/etc/rc.d/openvpn to adjust the default location mkdir /usr/local/etc/openvpn
cp /usr/local/share/doc/openvpn/sample-config-files/server.conf
/usr/local/etc/openvpn/openvpn.conf
Edit
/usr/local/etc/openvpn/openvpn.conf to add the correct path to these
files
ca.crt
server.crt
server.key
dh1024.pem
Like
ca /etc/openvpn/2.0/keys/ca.crt
cert /etc/openvpn/2.0/keys/server.crt
key /etc/openvpn/2.0/keys/server.key
dh /etc/openvpn/2.0/keys/dh1024.pem
Add this to /etc/rc.conf
openvpn_enable="YES"
gateway_enable="YES"
openvpn_if="tun" for Tunneling
or
openvpn_if="tap" for Bridging
Make sure IP Forwarding is enabled Check it with
sysctl -a |grep net.inet.ip.f
It should look like this inet.inet.ip.forwarding: 1
If your /etc/rc.conf has gateway_enable="YES",
it will be set on reboot
You can have this /etc/rc.conf setting read without a reboot by doing
this
/etc/rc/d/routing restart
You can also set IP Forwarding manaully with sysctl
sysctl inet.inet.ip.forwarding=1
Edit
/usr/local/etc/openvpn/openvpn.conf enough
to get tunelling going
Leave it at that if you want
For me it was a pain to configure routing on the server side
I found it necessary to
add permanent routes back as static routes on my gateway did not seem
to help
This probably will be less painful if your gateway is your OpenVPN
server.
It wasnt for my install
I did eventually choose bridging but here's my route notes for history
Because of the routing pain, I then
tried Bridge
OpenVPN's scripts do not automatically create the bridge device
I could not find a solution
Based on some reading, I made a startup script to build the bridge at
startup
So far so good, It's probably a bad hack, maybe someone will help me
out here
The script
1. Creates the bridge device
2. Adds a hardware NIC and TAP0 device, brings it up
3. Assigns a static IP
You'll have to edit the interface name and bridged IP to taste
For a bridge, you have to modify the
openvpn.conf
Change from tun to tap
dev tap
;dev tun
Modify server-bridge for the bridge IP
and pushed out IP range
server-bridge 192.168.10.12 255.255.255.0 192.168.10.100
192.168.110.109
Your dmesg will fill up with stuff
like this
arp: 192.168.10.2 is on fxp0 but got reply from 00:0a:5e:4d:37:ee on
bridge0
I turned off logging of this with sysctl
net.link.ether.inet.log_arp_wrong_iface=0
Add net.link.ether.inet.log_arp_wrong_iface=0
to /etc/sysctl.conf for a permanent change to this setting
Optional improved security
Use tls-auth
openvpn --genkey --secret ta.key
Copy ta.key to server and client
In the server configuration, add:
tls-auth ta.key 0
In the client configuration, add:
tls-auth ta.key 1
Larger RSA keys like 2048
Edit vars to include
export KEY_SIZE=2048
Revoke a certificate if someone gets
the boot (aka fired), hopefully not me
. ./vars
./revoke-full client2
This Creates crl.pem
Edit server config to point to this file
crl-verify crl.pem
Watch permissions
I needed to copy the crl.pem to /usr/local/sbin as the openvpn daemon
running as nobody could not see it in the location is was created
Adding authentication seemed an easy
improvement method for security
Add to client config
auth-user-pass
Add to server config
plugin /usr/local/lib/openvpn-auth-pam.so login
For lab use I did this
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn
--duplicate-cn
Here's a cool command to test
throughput relative to cipher
openssl speed bf-cbc des-ede3 aes-128-cbc
The 'numbers' are in 1000s of bytes per second processed.
type
16 bytes 64 bytes 256
bytes 1024 bytes 8192 bytes
des ede3
11884.66k 11914.43k
11951.81k 11965.71k 11963.80k
blowfish cbc 52814.10k
53821.89k 54053.87k
54415.30k 53871.86k
aes-128 cbc 40888.23k
38975.23k 39728.08k
40106.78k 39669.99k
Want to delete a person in order to
create a new key or changes
password?
Delete their .crt .key and .csr
Then remove their entry from the OpenVPN keys directory in the file
index.txt
I was getting - Initialization
Sequence Completed With Errors
ip-win32 netsh - was the fix for me
Here's a rip from some docs
Make sure that the DHCP Client Service is started.
If the above fix doesn't work, then it's possible that the TAP-Win32
adapter is being firewalled. In general, it's safe to disable the
firewall on the TAP-Win32 adapter because OpenVPN makes sure that only
an authenticated machine on the other end of the connection can
communicate through it. Having said that, there have been reports that
certain third party firewalls will block the TAP-Win32 adapter after an
XP SP2 upgrade.
You can also try changing the ip-win32 setting to a non-DHCP method.
For example:
ip-win32 netsh
ip-win32 ipapi
ip-win32 manual
Signing the Certificate. I chose
the allow the users to create
their own key. They then sent me a csr which I signed ...
Transfer the csr to the server in /etc/openvpn/2.0/keys
From /etc/openvpn/2.0
sh
. ./vars
sh ./pkitool --sign dsuzuki
This creates a certificate *.crt in /etc/openvpn/2.0/keys
Sent this back to the client
Fast Forwarding
I dont know why I wrote this
down originally
It looks cool so I left it
net.inet.ip.fastforwarding=1
Here's notes from the FreeBSD Kernel Interfaces Manual for inet(4)
(ip.fastforwarding)
Boolean: enable/disable the use of fast IP forwarding code.
Defaults to off
When fast IP forwarding is enabled, IP packets are forwarded directly
to the appropriate network interface with direct processing to
completion, which
greatly improves the throughput.
All packets for local IP addresses, non-unicast, or with IP optionsare
handled by the normal IP input processing path.
All features of the normal (slow) IP forwarding path are supported
including firewall (through pfil(9) hooks) checking, except ipsec(4)
tunnel brokering.
The IP fastforwarding path does not generate ICMP redirect or source
quench messages.
OpenVPN
under FreeBSD 7.2
I recently installed OpenVPN under FreeBSD 7.2
It seems the bridging part is a bit different than FreeBSD 6.x
I found some helpful URL's
Here's some OpenVPN related config entries that have worked for me
mkdir /root/easy-rsa
cp -r /usr/local/share/doc/openvpn/easy-rsa /root/
cd /root/easy-rsa/2.0
sh
sh . vars
sh ./clean-all
sh ./build-ca
sh ./build-key-server server
sh ./build-key user-name
sh ./build-dh
syslog.conf
vi /etc/syslog.conf
!openvpn
*.* /var/log/openvpn.log
touch /var/log/openvpn.log
Restart syslogd:-
killall -HUP syslogd
/etc/rc.conf
gateway_enable="YES"
openvpn_enable="YES"
openvpn_if="tap"
openvpn_configfile="/usr/local/etc/openvpn/server.conf"
openvpn_flags="--script-security 2" #Use only for OpenVPN after 2.06
/usr/local/etc/openvpn/server.conf
up /usr/local/etc/openvpn/up.sh
down /usr/local/etc/openvpn/down.sh
server-bridge 192.168.110.114 255.255.255.0 192.168.110.150
192.168.110.160
proto udp
port 61194
dev tap0
keepalive 15 60
