SlideShare a Scribd company logo

FreeBSD, ipfw and OpenVPN 2.1 server

Tomaz Muraus
Tomaz Muraus

How to install and configure OpenVPN server in bridged mode on FreeBSD 8.0.

Technology
1 of 14
Download to read offline
FreeBSD 8, ipfw and OpenVPN 2.1 server (bridged mode) Tomaž Muraus (kami@k5-storitve.net / @KamiSLO) October 2009
1. Table of contents 1. Table of contents..........................................................................................................................2 2. Introduction..................................................................................................................................3 3. The setup......................................................................................................................................4 4. The difference between routing (tun) and bridged mode (tap)....................................................5 5. Step 1: Installing the OpenVPN server........................................................................................6 6. Step 2: Configuring the server.....................................................................................................7 7. Step 3. Up and down scripts......................................................................................................10 8. Step 4: Example client config file..............................................................................................11 9. Step 6. Auto starting the OpenVPN server on boot:..................................................................12 10. Step 7: Configuring the firewall (ipfw):..................................................................................13 11. Step 8: Starting and testing the server......................................................................................14 2
2. Introduction In this article, I will describe how to get OpenVPN 2.1 server up and running in bridged mode on FreeBSD 8.0. Actually, when I was writing this article, FreeBSD 8.0 production a.k.a. stable release was not yet available, but in any case, this should work on the production release when it's out and most likely on FreeBSD 6 and 7 as well. 3
3. The setup For the purpose of this article I will assume we are using the following setup. Network: What IP address / range Local gateway (router) 10.0.0.1 Local IP address (FreeBSD and VPN server) 10.0.0.2 VPN client address pool 10.0.0.100 - 10.0.0.50 Interfaces: Interface Value Ethernet interface bge0 Tap interface tap0 Bridge interface bridge0 Other server related settings: Name Value OpenVPN server port 22222 OpenVPN protocol UDP OpenVPN config files directory /usr/local/etc/openvpn OpenVPN config file location /usr/local/etc/openvpn/server.conf Root certificate file location /usr/local/etc/openvpn/ca.crt Server certificate file location /usr/local/etc/openvpn/server.crt Server key file location /usr/local/etc/openvpn/server.key Diffie Hellman parameters file location /usr/local/etc/openvpn/dh1024.pem 4
4. The difference between routing (tun) and bridged mode (tap) I won't go into the details here, because the official documenation explains it pretty nicely. The fundamental difference is, that when a client connects to a VPN server running in a bridged mode, it is assigned an IP address that is a part of the remote physical Ethernet subnet and is then able to interact with other machines on the remote subnet as if it were connected locally - each client's tap interface will be assigned an IP address that is a part of the server's LAN (that is why the VPN client address pool must be in the same subnet as the server LAN subnet). Getting OpenVPN server to work on this setup in routing mode can be a bit trickier because it requires you to manually change the routing tables and the OpenVPN subnet must be different then the client private LAN subnet. For example, if you use 192.168.0.0./24 as your VPN subnet and you try to connect to this VPN server from the place which uses the same subnet for its LAN (like Hotel, Internet Caffe or some open wireless network) you will encounter a routing conflict, because the client machine won't know if the 192.168.0.1 refers to the local place's gateway or the same address on the VPN. In case like this, you should select such subnet for the VPN which you are less likely to encounter - for example 10.0.0.0/8 or 172.16.0.0/24. 5
5. Step 1: Installing the OpenVPN server First thing you need to do is to install the OpenVPN server. You could download the source from the openvpn.org and compile it by yourself or you could just use the FreeBSD port (that is what I will do). cd /usr/ports/security/openvpn-devel/ && make install clean Once the port has been compiled and installed, we need to create a directory for storing certificates, keys and two scripts which are executed when the OpenVPN server is started (start script which creates the bridge interface and bridges the two interfaces) and stopped (stop script removes the bridge between the interfaces and deletes the bridge interface). 6
6. Step 2: Configuring the server If you want to use the bridged mode, you must enable the IP forwarding. You can do this so by putting the following line in the /etc/rc.conf (this is always required if you want to route packets between interfaces): gateway_enable="YES" The setting will be activated the next time you reboot the computer. If you want changes to take the effect immediately, use the following command: # sysctl net.inet.ip.forwarding=1 You can check if the IP forwarding was successfully enabled by executing the following command: # sysctl -a | grep net.inet.ip.forwarding You should receive output like this: net.inet.ip.forwarding: 1 When the IP forwarding is enabled, you need to generate the necessary certificates and keys (master certificate authority certificate and key, server certificate and key and client certificates and keys). I won't describe this here, because the process is pretty straight-forward and well described in the openvpn.net howto. You could as well use ssl-admin port / package which makes generating the necessary certificate and key files and exporting them for OpenVPN even easier. When you have generated the necessary files, you need to copy them to the OpenVPN config directory - /usr/local/etc/openvpn. Now we need to create the server config file, which should be named server.conf and located in /usr/local/etc/openvpn/: 7
up /usr/local/etc/openvpn/up.sh down /usr/local/etc/openvpn/down.sh server-bridge 10.0.0.2 255.255.255.0 10.0.0.110 10.0.0.120 proto udp port 22222 dev tap0 comp-lzo yes keepalive 15 60 client-to-client client-config-dir ccd push "route 10.0.0.0 255.255.255.0" push "dhcp-option DNS xxx.xxx.xxx.xxx" push "dhcp-option DNS yyy.yyy.yyy.yyy" push "dhcp-option WINS zzz.zzz.zzz.zzz" push "redirect-gateway def1" ca /usr/local/etc/openvpn/ca.crt dh /usr/local/etc/openvpn/dh1024.pem cert /usr/local/etc/openvpn/server.crt key /usr/local/etc/openvpn/server.key log /var/log/openvpn.log status-version 2 status status.log verb 3 mute 20 Here is an explanation of parameters which I consider important: • up - location of the shell script which is executed when the server is started • down - location of the shell script which is executed when the server is stopped • server-bridge <local IP address> <vpn client address pool start> <vpn client address pool end> • local IP address - local IP address of the server • vpn client address pool start - the first IP address which is assigned to VPN clients • vpn client address pool end - the last IP address which is assigned to VPN clients • proto - protocol, in our case UDP (TCP is also an option) • port – listening port for the server • dev - which device to use (tap - bridged mode, tun - routing mode) • comp-lzo - enable / disable LZO compression (LZO compression can save some bandwidth if you are transferring mostly text). If you don't want to force the compression, "adaptive" is also an option. • client-to-client - if enabled, OpenVPN will internally route client-to-client traffic rather than push all the client-originating traffic to the TAP interface and client will see the other clients which are currently connected. • client-config-dir <directory> - directory where the client specific config files are located (config file should have the same name as the client's X509 common name - the parameter which you specify when creating the client key file). This is useful if you want to set client- specific configuration or push some specific client rules like routes or DNS servers. • push - some special options which are pushed to the client 8
• push "route 10.0.0.0 255.255.255.0" – this rule must be pushed to the client, so everything in this subnet is accessible throught the VPN • push "dhcp-option DNS xxx.xxx.xxx.xxx" - IP address of the first DNS server • push "dhcp-option DNS yyy.yyy.yyy.yyy" - IP address of the second DNS server • push "dhcp-option WINS zzz.zzz.zzz.zzz" - IP address of the WINS server • push "redirect-gateway def1" - if this rule is pushed to the client, it will cause all the outgoing IP traffic to be routed over the VPN (by default, only the traffic from and to OpenVPN server site will pass over the VPN - web browsing and other traffic is not routed over VPN and uses the client's default connection) • ca - location of the master certificate authority certificate • dh - Diffie Hellman parameters file location • cert - server certificate file location • key - server key file location • log - location of the log file • status <filename> - file which keeps a log of OpenVPN status • verb <number> - log verbosity (if you encounter problems, bump the value up to 9. For normal operation 3 should give you just enough information and not pollute the log file too much) • mute <number> - this limits the repetitive logging of similar messages Note: VPN client address range should be outside of the local DHCP server IP address range. 9
7. Step 3. Up and down scripts Only thing left to do server-side wise is to create the up and down scripts which are executed when the server is started or stopped. /usr/local/etc/openvpn/up.sh: #!/bin/sh /sbin/ifconfig bridge0 create /sbin/ifconfig bridge0 addm bge0 addm $dev up /sbin/ifconfig $dev up /usr/local/etc/openvpn/down.sh: #!/bin/sh /sbin/ifconfig bridge0 deletem $dev /sbin/ifconfig bridge0 destroy /sbin/ifconfig $dev destroy Note: $dev is the first command line argument which is passed to this script by OpenSVN server - interface name (in our case, this will be tap0). 10
8. Step 4: Example client config file Here is an example client config file, which you could use with this server configuration: script-security 3 client tls-client dev tap proto udp remote <YOUR SERVER IP> 55555 resolv-retry infinite nobind persist-key persist-tun ca C:privateca.crt cert C:privateclient1-laptop.crt key C:privateclient1-laptop.key ns-cert-type server cipher BF-CBC comp-lzo verb 3 11
9. Step 6. Auto starting the OpenVPN server on boot: If you want OpenVPN server to be automatically started when the server is booted, you need to put the following lines in the /etc/rc.conf file: openvpn_enable="YES" openvpn_configfile="/usr/local/etc/openvpn/server.conf" openvpn_flags="--script-security 3" openvpn_if="tap" 12
10. Step 7: Configuring the firewall (ipfw): If you don't use ipfw you can skip this step, but if you don't use firewall at all, you should install one. For the OpenVPN server to work, we need to configure our firewall so it allows traffic to pass between the bridged interfaces and open the UDP port for remote connections. # ipfw -q add allow all from any to any via bge0 # ipfw -q add allow all from any to any via bridge0 # ipfw -q add allow all from any to any via tap0 # ipfw -q add allow udp from any to 10.0.0.2 22222 setup 13
11. Step 8: Starting and testing the server If you have successfully completed all the steps above you should be able to start the server: # /usr/local/etc/rc.d/openvpn start If you didn't receive any error message, server should be up and running, quietly waiting (depends on your log verbosity level) for the clients to connect to it. You can check if it's running by executing the following command /usr/local/etc/rc.d/openvpn status or optionally check the log file located at /var/log/openvpn.log. On the client side, you can verify that all the traffic is being routed over the VPN by checking the routes (print route / netstat -r) or using the trace route command (for example: tracert google.com / traceroute google.com). Note: If you are using OpenVPN version >= 2.1-rc20 you need to provide “--script-security 3” flag when starting the server, else the server won't start (this is not needed, if you added the necessary parameters to the /etc/rc.conf file and you are using the /usr/local/etc/rc.d/openvpn script to start the server). Usefull links and resources: • OpenVPN Howto • Ethernet Bridging • OpenVPN 2.1 manual • GRC's OpenVPN HowTo Guide • FreeBSD OpenVPN Server/Routed • Ipfw Howto • FreeBSD Handbook - Gateways and Routes 14

Recommended

Securing Back Office Business Processes with OpenVPN
Securing Back Office Business Processes with OpenVPNSecuring Back Office Business Processes with OpenVPN
Securing Back Office Business Processes with OpenVPNA Green
 
OpenVPN
OpenVPNOpenVPN
OpenVPNEmil CHERICHEȘ
 
Openvpn
OpenvpnOpenvpn
Openvpnmato2012
 
Naim lighting
Naim lightingNaim lighting
Naim lightingNaim Shafiev
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICSource Conference
 
Automating linux network performance testing
Automating linux network performance testingAutomating linux network performance testing
Automating linux network performance testingAntonio Ojea Garcia
 
HTTP/2 and QUICK protocols. Optimizing the Web stack for HTTP/2 era
HTTP/2 and QUICK protocols. Optimizing the Web stack for HTTP/2 eraHTTP/2 and QUICK protocols. Optimizing the Web stack for HTTP/2 era
HTTP/2 and QUICK protocols. Optimizing the Web stack for HTTP/2 erapeychevi
 
Site to-multi site open vpn solution-latest
Site to-multi site open vpn solution-latestSite to-multi site open vpn solution-latest
Site to-multi site open vpn solution-latestChanaka Lasantha
 

Recommended

Securing Back Office Business Processes with OpenVPN
Securing Back Office Business Processes with OpenVPNSecuring Back Office Business Processes with OpenVPN
Securing Back Office Business Processes with OpenVPNA Green
 
OpenVPN
OpenVPNOpenVPN
OpenVPNEmil CHERICHEȘ
 
Openvpn
OpenvpnOpenvpn
Openvpnmato2012
 
Naim lighting
Naim lightingNaim lighting
Naim lightingNaim Shafiev
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICSource Conference
 
Automating linux network performance testing
Automating linux network performance testingAutomating linux network performance testing
Automating linux network performance testingAntonio Ojea Garcia
 
HTTP/2 and QUICK protocols. Optimizing the Web stack for HTTP/2 era
HTTP/2 and QUICK protocols. Optimizing the Web stack for HTTP/2 eraHTTP/2 and QUICK protocols. Optimizing the Web stack for HTTP/2 era
HTTP/2 and QUICK protocols. Optimizing the Web stack for HTTP/2 erapeychevi
 
Site to-multi site open vpn solution-latest
Site to-multi site open vpn solution-latestSite to-multi site open vpn solution-latest
Site to-multi site open vpn solution-latestChanaka Lasantha
 
How Networking works with Data Science
How Networking works with Data Science How Networking works with Data Science
How Networking works with Data Science HungWei Chiu
 
Control Your Network ASICs, What Benefits switchdev Can Bring Us
Control Your Network ASICs, What Benefits switchdev Can Bring UsControl Your Network ASICs, What Benefits switchdev Can Bring Us
Control Your Network ASICs, What Benefits switchdev Can Bring UsHungWei Chiu
 
Google QUIC
Google QUICGoogle QUIC
Google QUICFelipe Rayel
 
[2015-11월 정기 세미나]K8s on openstack
[2015-11월 정기 세미나]K8s on openstack[2015-11월 정기 세미나]K8s on openstack
[2015-11월 정기 세미나]K8s on openstackOpenStack Korea Community
 
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28Jxck Jxck
 
Blackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossBlackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossPavel Odintsov
 
OpenStack networking
OpenStack networkingOpenStack networking
OpenStack networkingSim Janghoon
 
Linux Kernel Development
Linux Kernel DevelopmentLinux Kernel Development
Linux Kernel DevelopmentLinuxCon ContainerCon CloudOpen China
 
Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simplePavel Odintsov
 
5. hands on - building local development environment with Open Mano
5. hands on - building local development environment with Open Mano5. hands on - building local development environment with Open Mano
5. hands on - building local development environment with Open Manovideos
 
Introduction to QUIC
Introduction to QUICIntroduction to QUIC
Introduction to QUICShuya Osaki
 
Site to-multi site open vpn solution. with active directory auth
Site to-multi site open vpn solution. with active directory authSite to-multi site open vpn solution. with active directory auth
Site to-multi site open vpn solution. with active directory authChanaka Lasantha
 
6. hands on - open mano demonstration in remote pool of servers
6. hands on - open mano demonstration in remote pool of servers6. hands on - open mano demonstration in remote pool of servers
6. hands on - open mano demonstration in remote pool of serversvideos
 
Building Python Development Station
Building Python Development StationBuilding Python Development Station
Building Python Development StationBasim Aly (JNCIP-SP, JNCIP-ENT)
 
Kubernetes Intro
Kubernetes IntroKubernetes Intro
Kubernetes IntroAntonio Ojea Garcia
 
Network Test Automation 2015-04-23 #npstudy
Network Test Automation 2015-04-23 #npstudyNetwork Test Automation 2015-04-23 #npstudy
Network Test Automation 2015-04-23 #npstudyHiroshi Ota
 
Open v switch20150410b
Open v switch20150410bOpen v switch20150410b
Open v switch20150410bRichard Kuo
 
Understanding Open vSwitch
Understanding Open vSwitch Understanding Open vSwitch
Understanding Open vSwitch YongKi Kim
 
LF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and GotchasLF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and GotchasLF_OpenvSwitch
 
Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0Philippe Bogaerts
 
Free radius billing server with practical vpn exmaple
Free radius billing server with practical vpn exmapleFree radius billing server with practical vpn exmaple
Free radius billing server with practical vpn exmapleChanaka Lasantha
 
Configuration Firewalld On CentOS 8
Configuration Firewalld On CentOS 8Configuration Firewalld On CentOS 8
Configuration Firewalld On CentOS 8Kaan Aslandağ
 

More Related Content

What's hot

How Networking works with Data Science
How Networking works with Data Science How Networking works with Data Science
How Networking works with Data Science HungWei Chiu
 
Control Your Network ASICs, What Benefits switchdev Can Bring Us
Control Your Network ASICs, What Benefits switchdev Can Bring UsControl Your Network ASICs, What Benefits switchdev Can Bring Us
Control Your Network ASICs, What Benefits switchdev Can Bring UsHungWei Chiu
 
[2015-11월 정기 세미나]K8s on openstack
[2015-11월 정기 세미나]K8s on openstack[2015-11월 정기 세미나]K8s on openstack
[2015-11월 정기 세미나]K8s on openstackOpenStack Korea Community
 
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28Jxck Jxck
 
Blackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossBlackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossPavel Odintsov
 
OpenStack networking
OpenStack networkingOpenStack networking
OpenStack networkingSim Janghoon
 
Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simplePavel Odintsov
 
5. hands on - building local development environment with Open Mano
5. hands on - building local development environment with Open Mano5. hands on - building local development environment with Open Mano
5. hands on - building local development environment with Open Manovideos
 
Introduction to QUIC
Introduction to QUICIntroduction to QUIC
Introduction to QUICShuya Osaki
 
Site to-multi site open vpn solution. with active directory auth
Site to-multi site open vpn solution. with active directory authSite to-multi site open vpn solution. with active directory auth
Site to-multi site open vpn solution. with active directory authChanaka Lasantha
 
6. hands on - open mano demonstration in remote pool of servers
6. hands on - open mano demonstration in remote pool of servers6. hands on - open mano demonstration in remote pool of servers
6. hands on - open mano demonstration in remote pool of serversvideos
 
Network Test Automation 2015-04-23 #npstudy
Network Test Automation 2015-04-23 #npstudyNetwork Test Automation 2015-04-23 #npstudy
Network Test Automation 2015-04-23 #npstudyHiroshi Ota
 
Open v switch20150410b
Open v switch20150410bOpen v switch20150410b
Open v switch20150410bRichard Kuo
 
Understanding Open vSwitch
Understanding Open vSwitch Understanding Open vSwitch
Understanding Open vSwitch YongKi Kim
 
LF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and GotchasLF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and GotchasLF_OpenvSwitch
 
Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0Philippe Bogaerts
 

What's hot (20)

How Networking works with Data Science
How Networking works with Data Science How Networking works with Data Science
How Networking works with Data Science
 
Control Your Network ASICs, What Benefits switchdev Can Bring Us
Control Your Network ASICs, What Benefits switchdev Can Bring UsControl Your Network ASICs, What Benefits switchdev Can Bring Us
Control Your Network ASICs, What Benefits switchdev Can Bring Us
 
Google QUIC
Google QUICGoogle QUIC
Google QUIC
 
[2015-11월 정기 세미나]K8s on openstack
[2015-11월 정기 세미나]K8s on openstack[2015-11월 정기 세미나]K8s on openstack
[2015-11월 정기 세미나]K8s on openstack
 
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28
 
Blackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossBlackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_voss
 
OpenStack networking
OpenStack networkingOpenStack networking
OpenStack networking
 
Linux Kernel Development
Linux Kernel DevelopmentLinux Kernel Development
Linux Kernel Development
 
Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simple
 
5. hands on - building local development environment with Open Mano
5. hands on - building local development environment with Open Mano5. hands on - building local development environment with Open Mano
5. hands on - building local development environment with Open Mano
 
Introduction to QUIC
Introduction to QUICIntroduction to QUIC
Introduction to QUIC
 
Site to-multi site open vpn solution. with active directory auth
Site to-multi site open vpn solution. with active directory authSite to-multi site open vpn solution. with active directory auth
Site to-multi site open vpn solution. with active directory auth
 
6. hands on - open mano demonstration in remote pool of servers
6. hands on - open mano demonstration in remote pool of servers6. hands on - open mano demonstration in remote pool of servers
6. hands on - open mano demonstration in remote pool of servers
 
Building Python Development Station
Building Python Development StationBuilding Python Development Station
Building Python Development Station
 
Kubernetes Intro
Kubernetes IntroKubernetes Intro
Kubernetes Intro
 
Network Test Automation 2015-04-23 #npstudy
Network Test Automation 2015-04-23 #npstudyNetwork Test Automation 2015-04-23 #npstudy
Network Test Automation 2015-04-23 #npstudy
 
Open v switch20150410b
Open v switch20150410bOpen v switch20150410b
Open v switch20150410b
 
Understanding Open vSwitch
Understanding Open vSwitch Understanding Open vSwitch
Understanding Open vSwitch
 
LF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and GotchasLF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and Gotchas
 
Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0
 

Similar to FreeBSD, ipfw and OpenVPN 2.1 server

Free radius billing server with practical vpn exmaple
Free radius billing server with practical vpn exmapleFree radius billing server with practical vpn exmaple
Free radius billing server with practical vpn exmapleChanaka Lasantha
 
Configuration Firewalld On CentOS 8
Configuration Firewalld On CentOS 8Configuration Firewalld On CentOS 8
Configuration Firewalld On CentOS 8Kaan Aslandağ
 
Tutorial CentOS 5 untuk Webhosting
Tutorial CentOS 5 untuk WebhostingTutorial CentOS 5 untuk Webhosting
Tutorial CentOS 5 untuk WebhostingBeni Krisbiantoro
 
Dockerizing the Hard Services: Neutron and Nova
Dockerizing the Hard Services: Neutron and NovaDockerizing the Hard Services: Neutron and Nova
Dockerizing the Hard Services: Neutron and Novaclayton_oneill
 
Linux internet server security and configuration tutorial
Linux internet server security and configuration tutorialLinux internet server security and configuration tutorial
Linux internet server security and configuration tutorialannik147
 
Squid proxy server
Squid proxy serverSquid proxy server
Squid proxy serverGreen Jb
 
Switch as a Server - PuppetConf 2014 - Leslie Carr
Switch as a Server - PuppetConf 2014 - Leslie CarrSwitch as a Server - PuppetConf 2014 - Leslie Carr
Switch as a Server - PuppetConf 2014 - Leslie CarrCumulus Networks
 
How to setup OpenVPN Server and Client on Ubuntu 14.04
How to setup OpenVPN Server and Client on Ubuntu 14.04How to setup OpenVPN Server and Client on Ubuntu 14.04
How to setup OpenVPN Server and Client on Ubuntu 14.04VEXXHOST Private Cloud
 
66 pfsense tutorial
66 pfsense tutorial66 pfsense tutorial
66 pfsense tutorialequinonesr
 
PPPoE With Mikrotik and Radius
PPPoE With Mikrotik and RadiusPPPoE With Mikrotik and Radius
PPPoE With Mikrotik and RadiusDashamir Hoxha
 
Site to-multi site open vpn solution with mysql db
Site to-multi site open vpn solution with mysql dbSite to-multi site open vpn solution with mysql db
Site to-multi site open vpn solution with mysql dbChanaka Lasantha
 
Bare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefBare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefMatt Ray
 
The Switch as a Server - PuppetConf 2014
The Switch as a Server - PuppetConf 2014The Switch as a Server - PuppetConf 2014
The Switch as a Server - PuppetConf 2014Puppet
 
Docker Swarm secrets for creating great FIWARE platforms
Docker Swarm secrets for creating great FIWARE platformsDocker Swarm secrets for creating great FIWARE platforms
Docker Swarm secrets for creating great FIWARE platformsFederico Michele Facca
 

Similar to FreeBSD, ipfw and OpenVPN 2.1 server (20)

Free radius billing server with practical vpn exmaple
Free radius billing server with practical vpn exmapleFree radius billing server with practical vpn exmaple
Free radius billing server with practical vpn exmaple
 
Configuration Firewalld On CentOS 8
Configuration Firewalld On CentOS 8Configuration Firewalld On CentOS 8
Configuration Firewalld On CentOS 8
 
Multi wanversion1.2
Multi wanversion1.2Multi wanversion1.2
Multi wanversion1.2
 
Tutorial CentOS 5 untuk Webhosting
Tutorial CentOS 5 untuk WebhostingTutorial CentOS 5 untuk Webhosting
Tutorial CentOS 5 untuk Webhosting
 
Dockerizing the Hard Services: Neutron and Nova
Dockerizing the Hard Services: Neutron and NovaDockerizing the Hard Services: Neutron and Nova
Dockerizing the Hard Services: Neutron and Nova
 
Linux internet server security and configuration tutorial
Linux internet server security and configuration tutorialLinux internet server security and configuration tutorial
Linux internet server security and configuration tutorial
 
Squid proxy server
Squid proxy serverSquid proxy server
Squid proxy server
 
Switch as a Server - PuppetConf 2014 - Leslie Carr
Switch as a Server - PuppetConf 2014 - Leslie CarrSwitch as a Server - PuppetConf 2014 - Leslie Carr
Switch as a Server - PuppetConf 2014 - Leslie Carr
 
How to setup OpenVPN Server and Client on Ubuntu 14.04
How to setup OpenVPN Server and Client on Ubuntu 14.04How to setup OpenVPN Server and Client on Ubuntu 14.04
How to setup OpenVPN Server and Client on Ubuntu 14.04
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
Alta disponibilidad en GNU/Linux
Alta disponibilidad en GNU/LinuxAlta disponibilidad en GNU/Linux
Alta disponibilidad en GNU/Linux
 
66 pfsense tutorial
66 pfsense tutorial66 pfsense tutorial
66 pfsense tutorial
 
PPPoE With Mikrotik and Radius
PPPoE With Mikrotik and RadiusPPPoE With Mikrotik and Radius
PPPoE With Mikrotik and Radius
 
Dhcp
DhcpDhcp
Dhcp
 
Site to-multi site open vpn solution with mysql db
Site to-multi site open vpn solution with mysql dbSite to-multi site open vpn solution with mysql db
Site to-multi site open vpn solution with mysql db
 
Bare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefBare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and Chef
 
The Switch as a Server - PuppetConf 2014
The Switch as a Server - PuppetConf 2014The Switch as a Server - PuppetConf 2014
The Switch as a Server - PuppetConf 2014
 
Docker Swarm secrets for creating great FIWARE platforms
Docker Swarm secrets for creating great FIWARE platformsDocker Swarm secrets for creating great FIWARE platforms
Docker Swarm secrets for creating great FIWARE platforms
 
66 pf sensetutorial
66 pf sensetutorial66 pf sensetutorial
66 pf sensetutorial
 
66_pfSenseTutorial
66_pfSenseTutorial66_pfSenseTutorial
66_pfSenseTutorial
 

Recently uploaded

Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 

Recently uploaded (20)

Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 

FreeBSD, ipfw and OpenVPN 2.1 server

  • 1. FreeBSD 8, ipfw and OpenVPN 2.1 server (bridged mode) Tomaž Muraus (kami@k5-storitve.net / @KamiSLO) October 2009
  • 2. 1. Table of contents 1. Table of contents..........................................................................................................................2 2. Introduction..................................................................................................................................3 3. The setup......................................................................................................................................4 4. The difference between routing (tun) and bridged mode (tap)....................................................5 5. Step 1: Installing the OpenVPN server........................................................................................6 6. Step 2: Configuring the server.....................................................................................................7 7. Step 3. Up and down scripts......................................................................................................10 8. Step 4: Example client config file..............................................................................................11 9. Step 6. Auto starting the OpenVPN server on boot:..................................................................12 10. Step 7: Configuring the firewall (ipfw):..................................................................................13 11. Step 8: Starting and testing the server......................................................................................14 2
  • 3. 2. Introduction In this article, I will describe how to get OpenVPN 2.1 server up and running in bridged mode on FreeBSD 8.0. Actually, when I was writing this article, FreeBSD 8.0 production a.k.a. stable release was not yet available, but in any case, this should work on the production release when it's out and most likely on FreeBSD 6 and 7 as well. 3
  • 4. 3. The setup For the purpose of this article I will assume we are using the following setup. Network: What IP address / range Local gateway (router) 10.0.0.1 Local IP address (FreeBSD and VPN server) 10.0.0.2 VPN client address pool 10.0.0.100 - 10.0.0.50 Interfaces: Interface Value Ethernet interface bge0 Tap interface tap0 Bridge interface bridge0 Other server related settings: Name Value OpenVPN server port 22222 OpenVPN protocol UDP OpenVPN config files directory /usr/local/etc/openvpn OpenVPN config file location /usr/local/etc/openvpn/server.conf Root certificate file location /usr/local/etc/openvpn/ca.crt Server certificate file location /usr/local/etc/openvpn/server.crt Server key file location /usr/local/etc/openvpn/server.key Diffie Hellman parameters file location /usr/local/etc/openvpn/dh1024.pem 4
  • 5. 4. The difference between routing (tun) and bridged mode (tap) I won't go into the details here, because the official documenation explains it pretty nicely. The fundamental difference is, that when a client connects to a VPN server running in a bridged mode, it is assigned an IP address that is a part of the remote physical Ethernet subnet and is then able to interact with other machines on the remote subnet as if it were connected locally - each client's tap interface will be assigned an IP address that is a part of the server's LAN (that is why the VPN client address pool must be in the same subnet as the server LAN subnet). Getting OpenVPN server to work on this setup in routing mode can be a bit trickier because it requires you to manually change the routing tables and the OpenVPN subnet must be different then the client private LAN subnet. For example, if you use 192.168.0.0./24 as your VPN subnet and you try to connect to this VPN server from the place which uses the same subnet for its LAN (like Hotel, Internet Caffe or some open wireless network) you will encounter a routing conflict, because the client machine won't know if the 192.168.0.1 refers to the local place's gateway or the same address on the VPN. In case like this, you should select such subnet for the VPN which you are less likely to encounter - for example 10.0.0.0/8 or 172.16.0.0/24. 5
  • 6. 5. Step 1: Installing the OpenVPN server First thing you need to do is to install the OpenVPN server. You could download the source from the openvpn.org and compile it by yourself or you could just use the FreeBSD port (that is what I will do). cd /usr/ports/security/openvpn-devel/ && make install clean Once the port has been compiled and installed, we need to create a directory for storing certificates, keys and two scripts which are executed when the OpenVPN server is started (start script which creates the bridge interface and bridges the two interfaces) and stopped (stop script removes the bridge between the interfaces and deletes the bridge interface). 6
  • 7. 6. Step 2: Configuring the server If you want to use the bridged mode, you must enable the IP forwarding. You can do this so by putting the following line in the /etc/rc.conf (this is always required if you want to route packets between interfaces): gateway_enable="YES" The setting will be activated the next time you reboot the computer. If you want changes to take the effect immediately, use the following command: # sysctl net.inet.ip.forwarding=1 You can check if the IP forwarding was successfully enabled by executing the following command: # sysctl -a | grep net.inet.ip.forwarding You should receive output like this: net.inet.ip.forwarding: 1 When the IP forwarding is enabled, you need to generate the necessary certificates and keys (master certificate authority certificate and key, server certificate and key and client certificates and keys). I won't describe this here, because the process is pretty straight-forward and well described in the openvpn.net howto. You could as well use ssl-admin port / package which makes generating the necessary certificate and key files and exporting them for OpenVPN even easier. When you have generated the necessary files, you need to copy them to the OpenVPN config directory - /usr/local/etc/openvpn. Now we need to create the server config file, which should be named server.conf and located in /usr/local/etc/openvpn/: 7
  • 8. up /usr/local/etc/openvpn/up.sh down /usr/local/etc/openvpn/down.sh server-bridge 10.0.0.2 255.255.255.0 10.0.0.110 10.0.0.120 proto udp port 22222 dev tap0 comp-lzo yes keepalive 15 60 client-to-client client-config-dir ccd push "route 10.0.0.0 255.255.255.0" push "dhcp-option DNS xxx.xxx.xxx.xxx" push "dhcp-option DNS yyy.yyy.yyy.yyy" push "dhcp-option WINS zzz.zzz.zzz.zzz" push "redirect-gateway def1" ca /usr/local/etc/openvpn/ca.crt dh /usr/local/etc/openvpn/dh1024.pem cert /usr/local/etc/openvpn/server.crt key /usr/local/etc/openvpn/server.key log /var/log/openvpn.log status-version 2 status status.log verb 3 mute 20 Here is an explanation of parameters which I consider important: • up - location of the shell script which is executed when the server is started • down - location of the shell script which is executed when the server is stopped • server-bridge <local IP address> <vpn client address pool start> <vpn client address pool end> • local IP address - local IP address of the server • vpn client address pool start - the first IP address which is assigned to VPN clients • vpn client address pool end - the last IP address which is assigned to VPN clients • proto - protocol, in our case UDP (TCP is also an option) • port – listening port for the server • dev - which device to use (tap - bridged mode, tun - routing mode) • comp-lzo - enable / disable LZO compression (LZO compression can save some bandwidth if you are transferring mostly text). If you don't want to force the compression, "adaptive" is also an option. • client-to-client - if enabled, OpenVPN will internally route client-to-client traffic rather than push all the client-originating traffic to the TAP interface and client will see the other clients which are currently connected. • client-config-dir <directory> - directory where the client specific config files are located (config file should have the same name as the client's X509 common name - the parameter which you specify when creating the client key file). This is useful if you want to set client- specific configuration or push some specific client rules like routes or DNS servers. • push - some special options which are pushed to the client 8
  • 9. • push "route 10.0.0.0 255.255.255.0" – this rule must be pushed to the client, so everything in this subnet is accessible throught the VPN • push "dhcp-option DNS xxx.xxx.xxx.xxx" - IP address of the first DNS server • push "dhcp-option DNS yyy.yyy.yyy.yyy" - IP address of the second DNS server • push "dhcp-option WINS zzz.zzz.zzz.zzz" - IP address of the WINS server • push "redirect-gateway def1" - if this rule is pushed to the client, it will cause all the outgoing IP traffic to be routed over the VPN (by default, only the traffic from and to OpenVPN server site will pass over the VPN - web browsing and other traffic is not routed over VPN and uses the client's default connection) • ca - location of the master certificate authority certificate • dh - Diffie Hellman parameters file location • cert - server certificate file location • key - server key file location • log - location of the log file • status <filename> - file which keeps a log of OpenVPN status • verb <number> - log verbosity (if you encounter problems, bump the value up to 9. For normal operation 3 should give you just enough information and not pollute the log file too much) • mute <number> - this limits the repetitive logging of similar messages Note: VPN client address range should be outside of the local DHCP server IP address range. 9
  • 10. 7. Step 3. Up and down scripts Only thing left to do server-side wise is to create the up and down scripts which are executed when the server is started or stopped. /usr/local/etc/openvpn/up.sh: #!/bin/sh /sbin/ifconfig bridge0 create /sbin/ifconfig bridge0 addm bge0 addm $dev up /sbin/ifconfig $dev up /usr/local/etc/openvpn/down.sh: #!/bin/sh /sbin/ifconfig bridge0 deletem $dev /sbin/ifconfig bridge0 destroy /sbin/ifconfig $dev destroy Note: $dev is the first command line argument which is passed to this script by OpenSVN server - interface name (in our case, this will be tap0). 10
  • 11. 8. Step 4: Example client config file Here is an example client config file, which you could use with this server configuration: script-security 3 client tls-client dev tap proto udp remote <YOUR SERVER IP> 55555 resolv-retry infinite nobind persist-key persist-tun ca C:privateca.crt cert C:privateclient1-laptop.crt key C:privateclient1-laptop.key ns-cert-type server cipher BF-CBC comp-lzo verb 3 11
  • 12. 9. Step 6. Auto starting the OpenVPN server on boot: If you want OpenVPN server to be automatically started when the server is booted, you need to put the following lines in the /etc/rc.conf file: openvpn_enable="YES" openvpn_configfile="/usr/local/etc/openvpn/server.conf" openvpn_flags="--script-security 3" openvpn_if="tap" 12
  • 13. 10. Step 7: Configuring the firewall (ipfw): If you don't use ipfw you can skip this step, but if you don't use firewall at all, you should install one. For the OpenVPN server to work, we need to configure our firewall so it allows traffic to pass between the bridged interfaces and open the UDP port for remote connections. # ipfw -q add allow all from any to any via bge0 # ipfw -q add allow all from any to any via bridge0 # ipfw -q add allow all from any to any via tap0 # ipfw -q add allow udp from any to 10.0.0.2 22222 setup 13
  • 14. 11. Step 8: Starting and testing the server If you have successfully completed all the steps above you should be able to start the server: # /usr/local/etc/rc.d/openvpn start If you didn't receive any error message, server should be up and running, quietly waiting (depends on your log verbosity level) for the clients to connect to it. You can check if it's running by executing the following command /usr/local/etc/rc.d/openvpn status or optionally check the log file located at /var/log/openvpn.log. On the client side, you can verify that all the traffic is being routed over the VPN by checking the routes (print route / netstat -r) or using the trace route command (for example: tracert google.com / traceroute google.com). Note: If you are using OpenVPN version >= 2.1-rc20 you need to provide “--script-security 3” flag when starting the server, else the server won't start (this is not needed, if you added the necessary parameters to the /etc/rc.conf file and you are using the /usr/local/etc/rc.d/openvpn script to start the server). Usefull links and resources: • OpenVPN Howto • Ethernet Bridging • OpenVPN 2.1 manual • GRC's OpenVPN HowTo Guide • FreeBSD OpenVPN Server/Routed • Ipfw Howto • FreeBSD Handbook - Gateways and Routes 14