1. Introduction : VPN system
We’ll describe the procedure to install a VPN server (OpenVPN) on a FreeBSD 10.1 server for Windows 7 clients.
This VPN will be configured for road warriors clients :
– 100% of the outgoing clients traffic will transit through the VPN server.
– 100% of the outgoing clients traffic will be encrypted before leaving the client computer.
I use this system to secure my connection when using untrusted networks (public WiFi) and to avoid constraints and limitations in some countries.
2. OpenVPN : server (FreeBSD 10.1)
2.1 Install
OpenVPN installation :
vi /etc/rc.confAdd these lines :
To enable traffic forwarding without rebooting the server :
sysctl -a | grep net.inet.ip.forwardingcd /usr/local/etc mkdir openvpn cd /usr/local/share/examples/openvpn/sample-config-files/ cp server.conf /usr/local/etc/openvpn/openvpn.conf cd /usr/local/share/easy-rsa/ sh . ./vars ./clean-allBuild the certificate authority (CA) :
Generating a 1024 bit RSA private key ......................++++++ .................++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]:FR State or Province Name (full name) [CA]:MyRegion Locality Name (eg, city) [SanFrancisco]:MyCity Organization Name (eg, company) [Fort-Funston]:MyCompany Organizational Unit Name (eg, section) [changeme]:IT Common Name (eg, your name or your server's hostname) [changeme]:MyHostname Name [changeme]:MyName Email Address [mail@host.domain]:MyEmailServer private key and certificate generation :
Generating a 1024 bit RSA private key ......++++++ ........++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]:FR State or Province Name (full name) [CA]:MyRegion Locality Name (eg, city) [SanFrancisco]:MyCity Organization Name (eg, company) [Fort-Funston]:MyCompany Organizational Unit Name (eg, section) [changeme]:IT Common Name (eg, your name or your server's hostname) [server]:MyHostname Name [changeme]:MyName Email Address [mail@host.domain]:MyEmail Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/local/share/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'FR' stateOrProvinceName :PRINTABLE:'MyRegion' localityName :PRINTABLE:'MyCity' organizationName :PRINTABLE:'MyCompany' organizationalUnitName:PRINTABLE:'IT' commonName :PRINTABLE:'MyHostname' name :PRINTABLE:'MyName' emailAddress :IA5STRING:'MyEmail' Certificate is to be certified until Mar 12 03:23:58 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base UpdatedGeneration of our first client key :
Generating a 1024 bit RSA private key ...................++++++ ...............++++++ writing new private key to 'client1_laptop.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]:FR State or Province Name (full name) [CA]:MyRegion Locality Name (eg, city) [SanFrancisco]:MyCity Organization Name (eg, company) [Fort-Funston]:MyCompany Organizational Unit Name (eg, section) [changeme]:IT Common Name (eg, your name or your server's hostname) [client1_laptop]: Name [changeme]:MyName Email Address [mail@host.domain]:MyEmail Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/local/share/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'FR' stateOrProvinceName :PRINTABLE:'MyRegion' localityName :PRINTABLE:'MyCity' organizationName :PRINTABLE:'MyCompany' organizationalUnitName:PRINTABLE:'IT' commonName :T61STRING:'client1_laptop' name :PRINTABLE:'MyName' emailAddress :IA5STRING:'MyEmail' Certificate is to be certified until Mar 12 03:30:26 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base UpdatedGenerate the Diffie Hellman parameters :
This is going to take a long time .................+..............+..+.....................We copy the generated files in the OpenVPN folder:
cp /usr/local/etc/openvpn/openvpn.conf /usr/local/etc/openvpn/openvpn.conf.bakWe can now edit this configuration :
;local a.b.c.d port 443 proto tcp dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh1024.pem topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" #push "dhcp-option DNS 208.67.220.220" client-to-client keepalive 10 120 cipher AES-256-CBC comp-lzo user nobody group nobody persist-key persist-tun status openvpn-status.log verb 3 ;mute 203. OpenVPN : client (Windows 7)
3.1 Install
As a first step, we download the client software on the official OpenVPN website.
3.2 Configuration
We have to retrieve some files from the server to our client. This is a critical step in terms of safety : Do not transfer these file with a not encrypted protocol !
Here we used the SFTP (SSH File Transfer Protocol) with FileZilla client :
Retrieve the following files, and copy them in “C:Program Files\OpenVPNconfig” :
– client1_laptop.key
– client1_laptop.crt
– ca.crtIn the same folder, we create a configuration file “client.ovpn”, and edit it :
service openvpn startIf everything is OK, you should see this :
tail -n 100 /var/log/messages![]()
The client should be able to communicate with the server. Note : The OpenVPN client should be started with Administrator rights.
At this step, the server is not forwarding the traffic to/from internet yet.The clients don’t have access to internet.
6. Traffic forwarding
To allow the server to forward traffic between clients and internet, we will use the firewall Packet-filter.
To enable automatic start, we edit the rc.conf file :
#Firewall pf_enable="YES" pf_rules="/etc/pf.conf"Create the PF’s rules :
vpn_net = "10.8.0.0/24" vpn_if = "tun0" ext_if = "em0" # ---- NAT rules ---- # nat on $ext_if inet from $vpn_net to any -> $ext_if # ---- Default policy ---- # block in # ---- Loopback ---- # pass on lo0 all # ---- ICMP ---- # pass in on $ext_if proto icmp # ---- SSH ---- # pass in on $ext_if proto tcp from any to $ext_if port 22 # ---- HTTP ---- # pass in on $ext_if proto tcp from any to $ext_if port 80 # ---- OPENVPN ---- # pass in on $ext_if proto tcp from any to $ext_if port 443 pass out quick pass in on $vpn_if from any to anyLoad the kernel module :
service pf start
Hola amigo.
Buen día.
Seguí tu manual,ya he podido realizar ping entre los equipos de la red virtual y de la red interna pero, no puedo ver los recursos compartidos de mi red interna.
¿Me puedes ayudar? ¿Hace falta algo en la configuración?
¡Saludos!
Hola !
Lo sentimos, yo no hablo mucho español.
Para mi, si podes realizar ping entre los equipos de la red virtual y de la red interna, la configuración es buena.
El acceso a los recursos compartidos de archivos con OpenVPN (en modo TUN) es un problema común. Hay que ajustar la configuración de samba (protocolo de uso compartido de archivos de Windows).
https://openvpn.net/index.php/open-source/documentation/howto.html#samba
http://www.ehowenespanol.com/samba-openvpn-como_250285/
Gracias por la molestia en contestarme, me surgió una duda más.
Mi red vpn es 10.8.0.0/24 y mi red interna es 10.10.10.0/24, la pc que tiene instalado el servidor open vpn es 10.10.10.20 pero los recursos compartidos los tengo en la ip 10.10.10.30.
¿Entonces para acceder a los recursos compartidos de 10.10.10.20 tengo que configurar samba en el servidor openvpn 10.10.10.20?
Desde ya gracias amigo
Por cierto, si hago ping de la red interna 10.10.10.0/24 hacia la red vpn 10.8.0.0/24 no hay respuesta, pero si hago ping de la red vpn hacia la red interna si hay respuesta.
¡Saludos!
Ola,
Para mí, esto es completamente normal.
VPN -> LAN:
Gateway predeterminado: Servidor VPN
Enrutamiento de la red VPN a la LAN: enrutado
LAN-> VPN
Gateway predeterminado: LAN gateway (router ?)
Enrutamiento de la red VPN a la LAN: no enrutado
Para el servidor samba, agregue la red IP VPN en la configuración.
Ex para ti :
hosts allow = 10.10.10.0/24 10.8.0.0/24 127.0.0.1
¡Saludos!
Que tal Fontenay.
Ya pude resolver el problema, no era necesario la configuración de samba, lo que pasa es que no podía acceder a los recursos compartidos si ponía el nombre del equipo \\name_server\share_name\ pero si pongo la ip del equipo si puedo acceder \\10.10.10.30\share_name\.
Gracias por todo.
¡Saludos!
Muy bien gracias.
¿Qué DNS se utiliza para los clientes OpenVPN?
Ver esta linea de la configuración :
push “dhcp-option DNS 8.8.8.8”
Éstos son los DNS Google. Debe utilizar los que están en su LAN (probablemente su puerta de enlace).
Ronan
Tengo otro detalle, cuando conecto dos clientes me proporciona la misma ip en los dos equipos y eso provoca que no pueda ver los recursos compartidos, tengo que desconectar un equipo para poder accesar a los recursos compartidos.
¡Saludos!
Ola,
Trate de limpiar el fichero ipp.txt. Este fichero se utiliza para asignar IP siempre mismos clientes. También puede desactivar esta función comentando la línea “ifconfig-piscina-persisten ipp.txt”.
¡Saludos!
19 pass in on $vpn_if from any to any
# service pf start
Enabling pfNo ALTQ support in kernel
ALTQ related functions disabled
/etc/pf.conf:19: syntax error
pfctl: Syntax error in config file: pf rules not loaded
No ALTQ support in kernel
ALTQ related functions disabled
———————————————
19 pass in on $vpn_if inet from any to any
# service pf start
Enabling pfNo ALTQ support in kernel
ALTQ related functions disabled
No ALTQ support in kernel
ALTQ related functions disabled
Newbie,
Replace your line :
19 : pass in on $vpn_if inet from any to any
By :
19 : pass in on $vpn_if from any to any
🙂