VPN server (OpenVPN) on FreeBSD for windows clients

1. Introduction : VPN system

We’ll describe the procedure to install a VPN server (OpenVPN) on a FreeBSD 10.1 server for Windows 7 clients.

This VPN will be configured for road warriors clients :
– 100% of the outgoing clients traffic will transit through the VPN server.
– 100% of the outgoing clients traffic will be encrypted before leaving the client computer.

I use this system to secure my connection when using untrusted networks (public WiFi) and to avoid constraints and limitations in some countries.

2. OpenVPN : server (FreeBSD 10.1)

2.1 Install

OpenVPN installation :

vi /etc/rc.conf
Add these lines :
To enable traffic forwarding without rebooting the server :
sysctl -a | grep net.inet.ip.forwarding

cd /usr/local/etc
mkdir openvpn
cd /usr/local/share/examples/openvpn/sample-config-files/
cp server.conf /usr/local/etc/openvpn/openvpn.conf
cd /usr/local/share/easy-rsa/
sh
. ./vars
./clean-all

Build the certificate authority (CA) :
Generating a 1024 bit RSA private key
......................++++++
.................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:FR
State or Province Name (full name) [CA]:MyRegion
Locality Name (eg, city) [SanFrancisco]:MyCity
Organization Name (eg, company) [Fort-Funston]:MyCompany
Organizational Unit Name (eg, section) [changeme]:IT
Common Name (eg, your name or your server's hostname) [changeme]:MyHostname
Name [changeme]:MyName
Email Address [mail@host.domain]:MyEmail

Server private key and certificate generation :
Generating a 1024 bit RSA private key
......++++++
........++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:FR
State or Province Name (full name) [CA]:MyRegion
Locality Name (eg, city) [SanFrancisco]:MyCity
Organization Name (eg, company) [Fort-Funston]:MyCompany
Organizational Unit Name (eg, section) [changeme]:IT
Common Name (eg, your name or your server's hostname) [server]:MyHostname
Name [changeme]:MyName
Email Address [mail@host.domain]:MyEmail

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/share/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'FR'
stateOrProvinceName :PRINTABLE:'MyRegion'
localityName :PRINTABLE:'MyCity'
organizationName :PRINTABLE:'MyCompany'
organizationalUnitName:PRINTABLE:'IT'
commonName :PRINTABLE:'MyHostname'
name :PRINTABLE:'MyName'
emailAddress :IA5STRING:'MyEmail'
Certificate is to be certified until Mar 12 03:23:58 2025 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Generation of our first client key :
Generating a 1024 bit RSA private key
...................++++++
...............++++++
writing new private key to 'client1_laptop.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:FR
State or Province Name (full name) [CA]:MyRegion
Locality Name (eg, city) [SanFrancisco]:MyCity
Organization Name (eg, company) [Fort-Funston]:MyCompany
Organizational Unit Name (eg, section) [changeme]:IT
Common Name (eg, your name or your server's hostname) [client1_laptop]:
Name [changeme]:MyName
Email Address [mail@host.domain]:MyEmail

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/share/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'FR'
stateOrProvinceName :PRINTABLE:'MyRegion'
localityName :PRINTABLE:'MyCity'
organizationName :PRINTABLE:'MyCompany'
organizationalUnitName:PRINTABLE:'IT'
commonName :T61STRING:'client1_laptop'
name :PRINTABLE:'MyName'
emailAddress :IA5STRING:'MyEmail'
Certificate is to be certified until Mar 12 03:30:26 2025 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Generate the Diffie Hellman parameters :
This is going to take a long time
.................+..............+..+.....................

We copy the generated files in the OpenVPN folder:
cp /usr/local/etc/openvpn/openvpn.conf /usr/local/etc/openvpn/openvpn.conf.bak

We can now edit this configuration :
;local a.b.c.d
port 443
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DNS 208.67.220.220"
client-to-client
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
;mute 20

3. OpenVPN : client (Windows 7)
3.1 Install
As a first step, we download the client software on the official OpenVPN website.
3.2 Configuration
We have to retrieve some files from the server to our client. This is a critical step in terms of safety : Do not transfer these file with a not encrypted protocol !
Here we used the SFTP (SSH File Transfer Protocol) with FileZilla client :

Retrieve the following files, and copy them in “C:Program Files\OpenVPNconfig” :

– client1_laptop.key

– client1_laptop.crt

– ca.crt
In the same folder, we create a configuration file “client.ovpn”, and edit it :
service openvpn start

If everything is OK, you should see this :
tail -n 100 /var/log/messages


The client should be able to communicate with the server. Note : The OpenVPN client should be started with Administrator rights.
At this step, the server is not forwarding the traffic to/from internet yet.The clients don’t have access to internet.
6. Traffic forwarding
To allow the server to forward traffic between clients and internet, we will use the firewall Packet-filter.
To enable automatic start, we edit the rc.conf file :
#Firewall
pf_enable="YES"
pf_rules="/etc/pf.conf"

Create the PF’s rules :
vpn_net = "10.8.0.0/24"
vpn_if = "tun0"
ext_if = "em0"
# ---- NAT rules ---- #
nat on $ext_if inet from $vpn_net to any -> $ext_if
# ---- Default policy ---- #
block in
# ---- Loopback ---- #
pass on lo0 all
# ---- ICMP ---- #
pass in on $ext_if proto icmp
# ---- SSH ---- #
pass in on $ext_if proto tcp from any to $ext_if port 22
# ---- HTTP ---- #
pass in on $ext_if proto tcp from any to $ext_if port 80
# ---- OPENVPN ---- #
pass in on $ext_if proto tcp from any to $ext_if port 443
pass out quick
pass in on $vpn_if from any to any

Load the kernel module :
service pf start

		Posted on 2015-03-172015-11-08Author RonanCategories IT, System administration, VPNTags freebsd, openvpn