VPN server (OpenVPN) on FreeBSD for windows clients

1. Introduction : VPN system

We’ll describe the procedure to install a VPN server (OpenVPN) on a FreeBSD 10.1 server for Windows 7 clients.

This VPN will be configured for road warriors clients :
– 100% of the outgoing clients traffic will transit through the VPN server.
– 100% of the outgoing clients traffic will be encrypted before leaving the client computer.

I use this system to secure my connection when using untrusted networks (public WiFi) and to avoid constraints and limitations in some countries.

2. OpenVPN : server (FreeBSD 10.1)

2.1 Install

OpenVPN installation :

vi /etc/rc.conf

Add these lines :

To enable traffic forwarding without rebooting the server :

sysctl -a | grep net.inet.ip.forwarding
cd /usr/local/etc
mkdir openvpn
cd /usr/local/share/examples/openvpn/sample-config-files/
cp server.conf /usr/local/etc/openvpn/openvpn.conf
cd /usr/local/share/easy-rsa/
sh
. ./vars
./clean-all

Build the certificate authority (CA) :

Generating a 1024 bit RSA private key
......................++++++
.................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:FR
State or Province Name (full name) [CA]:MyRegion
Locality Name (eg, city) [SanFrancisco]:MyCity
Organization Name (eg, company) [Fort-Funston]:MyCompany
Organizational Unit Name (eg, section) [changeme]:IT
Common Name (eg, your name or your server's hostname) [changeme]:MyHostname
Name [changeme]:MyName
Email Address [mail@host.domain]:MyEmail

Server private key and certificate generation :

Generating a 1024 bit RSA private key
......++++++
........++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:FR
State or Province Name (full name) [CA]:MyRegion
Locality Name (eg, city) [SanFrancisco]:MyCity
Organization Name (eg, company) [Fort-Funston]:MyCompany
Organizational Unit Name (eg, section) [changeme]:IT
Common Name (eg, your name or your server's hostname) [server]:MyHostname
Name [changeme]:MyName
Email Address [mail@host.domain]:MyEmail

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/share/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'FR'
stateOrProvinceName :PRINTABLE:'MyRegion'
localityName :PRINTABLE:'MyCity'
organizationName :PRINTABLE:'MyCompany'
organizationalUnitName:PRINTABLE:'IT'
commonName :PRINTABLE:'MyHostname'
name :PRINTABLE:'MyName'
emailAddress :IA5STRING:'MyEmail'
Certificate is to be certified until Mar 12 03:23:58 2025 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Generation of our first client key :

Generating a 1024 bit RSA private key
...................++++++
...............++++++
writing new private key to 'client1_laptop.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:FR
State or Province Name (full name) [CA]:MyRegion
Locality Name (eg, city) [SanFrancisco]:MyCity
Organization Name (eg, company) [Fort-Funston]:MyCompany
Organizational Unit Name (eg, section) [changeme]:IT
Common Name (eg, your name or your server's hostname) [client1_laptop]:
Name [changeme]:MyName
Email Address [mail@host.domain]:MyEmail

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/share/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'FR'
stateOrProvinceName :PRINTABLE:'MyRegion'
localityName :PRINTABLE:'MyCity'
organizationName :PRINTABLE:'MyCompany'
organizationalUnitName:PRINTABLE:'IT'
commonName :T61STRING:'client1_laptop'
name :PRINTABLE:'MyName'
emailAddress :IA5STRING:'MyEmail'
Certificate is to be certified until Mar 12 03:30:26 2025 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Generate the Diffie Hellman parameters :

This is going to take a long time
.................+..............+..+.....................

We copy the generated files in the OpenVPN folder:

cp /usr/local/etc/openvpn/openvpn.conf /usr/local/etc/openvpn/openvpn.conf.bak

We can now edit this configuration :

;local a.b.c.d
port 443
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DNS 208.67.220.220"
client-to-client
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
;mute 20

3. OpenVPN : client (Windows 7)

3.1 Install

As a first step, we download the client software on the official OpenVPN website.

3.2 Configuration

We have to retrieve some files from the server to our client. This is a critical step in terms of safety : Do not transfer these file with a not encrypted protocol !

Here we used the SFTP (SSH File Transfer Protocol) with FileZilla client :

filezilla-sftp

Retrieve the following files, and copy them in “C:Program Files\OpenVPNconfig” :
– client1_laptop.key
– client1_laptop.crt
– ca.crt

In the same folder, we create a configuration file “client.ovpn”, and edit it :

service openvpn start

If everything is OK, you should see this :

tail -n 100 /var/log/messages

11 thoughts on “VPN server (OpenVPN) on FreeBSD for windows clients”

  1. Hola amigo.

    Buen día.

    Seguí tu manual,ya he podido realizar ping entre los equipos de la red virtual y de la red interna pero, no puedo ver los recursos compartidos de mi red interna.

    ¿Me puedes ayudar? ¿Hace falta algo en la configuración?

    ¡Saludos!

  2. Hola !

    Lo sentimos, yo no hablo mucho español.

    Para mi, si podes realizar ping entre los equipos de la red virtual y de la red interna, la configuración es buena.

    El acceso a los recursos compartidos de archivos con OpenVPN (en modo TUN) es un problema común. Hay que ajustar la configuración de samba (protocolo de uso compartido de archivos de Windows).

    https://openvpn.net/index.php/open-source/documentation/howto.html#samba
    http://www.ehowenespanol.com/samba-openvpn-como_250285/

    1. Gracias por la molestia en contestarme, me surgió una duda más.

      Mi red vpn es 10.8.0.0/24 y mi red interna es 10.10.10.0/24, la pc que tiene instalado el servidor open vpn es 10.10.10.20 pero los recursos compartidos los tengo en la ip 10.10.10.30.

      ¿Entonces para acceder a los recursos compartidos de 10.10.10.20 tengo que configurar samba en el servidor openvpn 10.10.10.20?

      Desde ya gracias amigo

      1. Por cierto, si hago ping de la red interna 10.10.10.0/24 hacia la red vpn 10.8.0.0/24 no hay respuesta, pero si hago ping de la red vpn hacia la red interna si hay respuesta.

        ¡Saludos!

        1. Ola,

          Para mí, esto es completamente normal.

          VPN -> LAN:
          Gateway predeterminado: Servidor VPN
          Enrutamiento de la red VPN a la LAN: enrutado

          LAN-> VPN
          Gateway predeterminado: LAN gateway (router ?)
          Enrutamiento de la red VPN a la LAN: no enrutado

          Para el servidor samba, agregue la red IP VPN en la configuración.

          Ex para ti :
          hosts allow = 10.10.10.0/24 10.8.0.0/24 127.0.0.1

          ¡Saludos!

  3. Que tal Fontenay.

    Ya pude resolver el problema, no era necesario la configuración de samba, lo que pasa es que no podía acceder a los recursos compartidos si ponía el nombre del equipo \\name_server\share_name\ pero si pongo la ip del equipo si puedo acceder \\10.10.10.30\share_name\.

    Gracias por todo.

    ¡Saludos!

  4. Muy bien gracias.

    ¿Qué DNS se utiliza para los clientes OpenVPN?

    Ver esta linea de la configuración :
    push “dhcp-option DNS 8.8.8.8”

    Éstos son los DNS Google. Debe utilizar los que están en su LAN (probablemente su puerta de enlace).

    Ronan

    1. Tengo otro detalle, cuando conecto dos clientes me proporciona la misma ip en los dos equipos y eso provoca que no pueda ver los recursos compartidos, tengo que desconectar un equipo para poder accesar a los recursos compartidos.

      ¡Saludos!

      1. Ola,

        Trate de limpiar el fichero ipp.txt. Este fichero se utiliza para asignar IP siempre mismos clientes. También puede desactivar esta función comentando la línea “ifconfig-piscina-persisten ipp.txt”.

        ¡Saludos!

  5. 19 pass in on $vpn_if from any to any

    # service pf start
    Enabling pfNo ALTQ support in kernel
    ALTQ related functions disabled
    /etc/pf.conf:19: syntax error
    pfctl: Syntax error in config file: pf rules not loaded
    No ALTQ support in kernel
    ALTQ related functions disabled

    ———————————————

    19 pass in on $vpn_if inet from any to any

    # service pf start
    Enabling pfNo ALTQ support in kernel
    ALTQ related functions disabled
    No ALTQ support in kernel
    ALTQ related functions disabled

    1. Newbie,

      Replace your line :

      19 : pass in on $vpn_if inet from any to any

      By :

      19 : pass in on $vpn_if from any to any

      🙂

Leave a Reply to fer Cancel reply

Your email address will not be published. Required fields are marked *