January 5, 2008

OpenVPN install on FreeBSD ( Bridged Mode )

**1. Add Bridge support ( Rebuild kernel with the following options ) **

**
**device          if_bridge
options         BRIDGE

**2. add sysctl values **

*#enable ip forwarding
*net.inet.ip.forwarding=1
*#enable bridging
*net.link.ether.bridge.enable=1
#configure bridged interfaces ( change lnc to your nic , tap0 is the virtual nic used by openvpn )
sysctl net.link.ether.bridge.config=lnc0,tap0

3.install from ports

cd /usr/ports/security/openvpn && make all install

4. copy ssl certs scripts

mkdir /usr/local/etc/openvpn
cp -r /usr/local/share/doc/openvpn/easy-rsa  /usr/local/etc/openvpn

**5. create ssl certs **

cd /usr/local/etc/openvpn/easy-rsa
vi vars ( add configs )
. ./vars
./build-ca
./build-key-server server_name ( this will create certs with the prefix server_name )
./build-dh

**6.create server config file **

cd /usr/local/etc/openvpn/
vi openvpn.conf

— snip ——

what port to listen on

port 443

what protocol to use

proto tcp

allow vpn clients to see each other

client-to-client

certicates location

ca   /usr/local/etc/openvpn/easy-rsa/keys/ca.crt
cert /usr/local/etc/openvpn/easy-rsa/keys/server_name.crt
key  /usr/local/etc/openvpn/easy-rsa/keys/server_name.key  # This file should be kept secret
dh   /usr/local/etc/openvpn/easy-rsa/keys/dh1024.pem

bridge mode

dev tap

allow clients to use range of 192.168.1.50 to .100 with .3 as default gateway

server-bridge 192.168.1.3 255.255.255.0 192.168.1.50 192.168.1.100

Push routes to the clients ( what ever subnets they should reach )

push "route 192.168.1.0 255.255.255.0"
push "route 172.16.0.0 255.255.254.0"

other options

push "dhcp-option DOMAIN vpn.domain.com"
push "dhcp-option DNS 192.168.1.254"

keepalive 10 120
comp-lzo
;max-clients 100

user nobody
group nobody

persist-key
persist-tun

status      /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
log-append  /var/log/openvpn/openvpn.log

verb 6
mute 5

7.enable openssl on startup

echo "openvpn_enable="YES"" >> /etc/rc.conf
/usr/local/etc/rc.d/openvpn start

**8.tail the log for errors …
**