Install OpenVPN on FreeBSD system

1. Update Port Collection

portsnap fetch update

if it is the first time,

portsnap fetch extract

2. Install OpenSSL

cd /usr/ports/security/openssl
make install clean

3. Edit /etc/make.conf, and add

DEFAULT_VERSIONS+=ssl=openssl

4. Install OpenVPN, easyrsa

cd /usr/ports/security/easy-rsa
make install clean
cd /usr/ports/security/openvpn
make install clean

5. Create Configuration directory and copy sample configuration file

mkdir -p /usr/local/etc/openvpn/easy-rsa
mkdir /usr/local/etc/openvpn/server
cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn/server/
cp -r /usr/local/share/easy-rsa/* /usr/local/etc/openvpn/easy-rsa/

6. Edit  /usr/local/etc/openvpn/easy-rsa/vars and set your information for SSL

set_var EASYRSA_REQ_COUNTRY     "HK"
set_var EASYRSA_REQ_PROVINCE    "Kowloon"
set_var EASYRSA_REQ_CITY        "San Po Kong"
set_var EASYRSA_REQ_ORG         "Laws Cloud Infrastructure Limited"
set_var EASYRSA_REQ_EMAIL       "demo@example.com"
set_var EASYRSA_REQ_OU          "VPN Department"
set_var EASYRSA_KEY_SIZE	2048
set_var EASYRSA_CA_EXPIRE	3650
set_var EASYRSA_CERT_EXPIRE	3650

7. Initialize PKI

cd /usr/local/etc/openvpn/easy-rsa
sh ./easyrsa.real init-pki

8. Build CA Certificate, key, certificate file

sh ./easyrsa.real build-ca
sh ./easyrsa.real build-server-full server nopass
sh ./easyrsa.real build-client-full client nopass
sh ./easyrsa.real gen-dh
openvpn --genkey --secret /usr/local/etc/openvpn/easy-rsa/pki/ta.key
cp -r /usr/local/etc/openvpn/easy-rsa/pki/{ca.crt,dh.pem,ta.key,issued,private} /usr/local/etc/openvpn/server/

9. Edit /usr/local/etc/openvpn/server/server.conf

port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/server/ca.crt
cert /usr/local/etc/openvpn/server/issued/server.crt
key /usr/local/etc/openvpn/server/private/server.key  # This file should be kept secret
dh /usr/local/etc/openvpn/server/dh.pem
topology subnet
server 192.168.101.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
duplicate-cn
keepalive 10 120
tls-auth /usr/local/etc/openvpn/server/ta.key 0 # This file is secret
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
;comp-lzo
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append  /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
auth sha512
remote-cert-tls client

10. Create log directory

mkdir /var/log/openvpn/

11. Edit /etc/rc.conf and enable OpenVPN

firewall_enable="YES"
firewall_type="open"
gateway_enable="YES"
natd_enable="YES"
natd_interface="em1"
natd_flags="-dynamic -m"
openvpn_enable=YES
openvpn_configfile="/usr/local/etc/openvpn/server/server.conf"

  **em1 is the outgoing network adapter. If you are not sure, check the line that bind your IP

ifconfig_em1="inet 10.10.10.10 netmask 255.255.255.0"

Network adapter name is the string after ifconfig_ (and before = )

12. Set up client ovpn profile

client
tls-client
pull
dev tun
proto udp
remote IP-address-of-your-VPN 1194
resolv-retry infinite
nobind
dhcp-option DNS 1.1.1.1
user nobody
group nogroup
persist-key
persist-tun
key-direction 1
tls-auth ta.key 1
compress
verb 3
auth SHA512
remote-cert-tls server
<ca>
content of /usr/local/etc/openvpn/server/ca.crt
</ca>
<cert>
content of /usr/local/etc/openvpn/server/issued/client.crt
</cert>
<key>
content of /usr/local/etc/openvpn/server/private/client.key
</key>
<tls-auth>
content of /usr/local/etc/openvpn/server/ta.key
</tls-auth>
key-direction 1

Optional: (Enable Radius Authen)

13. Install OpenVPN Radius Plugin

cd /usr/ports/security/openvpn-auth-radius
make install clean

14. Copy Sample plugin configure to OpenVPN configuration directory

cp /usr/local/share/examples/openvpn-auth-radius/radiusplugin.cnf /usr/local/etc/openvpn/server

15. Edit /usr/local/etc/openvpn/server/radiusplugin.cnf. Find OpenVPNConfig and set to

OpenVPNConfig=/usr/local/etc/openvpn/server/server.conf

and bottom, find server { and change the port, IP and secret phase to 

server
{
	# The UDP port for radius accounting.
	acctport=1813
	# The UDP port for radius authentication.
	authport=1812
	# The name or ip address of the radius server.
	name=IP-or-hostname.of.your.radius
	# How many times should the plugin send the if there is no response?
	retry=1
	# How long should the plugin wait for a response?
	wait=1
	# The shared secret.
	sharedsecret=secret-phase-for-free-radius
}

16. Edit Openvpn config file (server.conf). Add the following to the end of file

plugin /usr/local/lib/radiusplugin.so /usr/local/etc/openvpn/server/radiusplugin.cnf

17. Edit Client ovpn file and add the following line

auth-user-pass