January 5, 2008

OpenVPN install on FreeBSD ( Bridged Mode )

**1. Add Bridge support ( Rebuild kernel with the following options ) **

**device          if_bridge
options         BRIDGE

**2. add sysctl values **

*#enable ip forwarding
*#enable bridging
#configure bridged interfaces ( change lnc to your nic , tap0 is the virtual nic used by openvpn )
sysctl net.link.ether.bridge.config=lnc0,tap0

3.install from ports

cd /usr/ports/security/openvpn && make all install

4. copy ssl certs scripts

mkdir /usr/local/etc/openvpn
cp -r /usr/local/share/doc/openvpn/easy-rsa  /usr/local/etc/openvpn

**5. create ssl certs **

cd /usr/local/etc/openvpn/easy-rsa
vi vars ( add configs )
. ./vars
./build-key-server server_name ( this will create certs with the prefix server_name )

**6.create server config file **

cd /usr/local/etc/openvpn/
vi openvpn.conf

— snip ——

what port to listen on

port 443

what protocol to use

proto tcp

allow vpn clients to see each other


certicates location

ca   /usr/local/etc/openvpn/easy-rsa/keys/ca.crt
cert /usr/local/etc/openvpn/easy-rsa/keys/server_name.crt
key  /usr/local/etc/openvpn/easy-rsa/keys/server_name.key  # This file should be kept secret
dh   /usr/local/etc/openvpn/easy-rsa/keys/dh1024.pem

bridge mode

dev tap

allow clients to use range of to .100 with .3 as default gateway


Push routes to the clients ( what ever subnets they should reach )

push "route"
push "route"

other options

push "dhcp-option DOMAIN vpn.domain.com"
push "dhcp-option DNS"

keepalive 10 120
;max-clients 100

user nobody
group nobody


status      /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
log-append  /var/log/openvpn/openvpn.log

verb 6
mute 5

7.enable openssl on startup

echo "openvpn_enable="YES"" >> /etc/rc.conf
/usr/local/etc/rc.d/openvpn start

**8.tail the log for errors …