- Update Port Collection
portsnap fetch update
if it is the first time,
portsnap fetch extract - Install OpenSSL
cd /usr/ports/security/openssl
make install clean - Edit /etc/make.conf, and add
DEFAULT_VERSIONS+=ssl=openssl - Install OpenVPN, easyrsa
cd /usr/ports/security/easy-rsa
make install clean
cd /usr/ports/security/openvpn
make install clean - Create Configuration directory and copy sample configuration file
mkdir -p /usr/local/etc/openvpn/easy-rsa
mkdir /usr/local/etc/openvpn/server
cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn/server/
cp -r /usr/local/share/easy-rsa/* /usr/local/etc/openvpn/easy-rsa/ - Edit /usr/local/etc/openvpn/easy-rsa/vars and set your information for SSL
set_var EASYRSA_REQ_COUNTRY "HK"
set_var EASYRSA_REQ_PROVINCE "Kowloon"
set_var EASYRSA_REQ_CITY "San Po Kong"
set_var EASYRSA_REQ_ORG "Laws Cloud Infrastructure Limited"
set_var EASYRSA_REQ_EMAIL "demo@example.com"
set_var EASYRSA_REQ_OU "VPN Department"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 3650 - Initialize PKI
cd /usr/local/etc/openvpn/easy-rsa
sh ./easyrsa.real init-pki - Build CA Certificate, key, certificate file
sh ./easyrsa.real build-ca
sh ./easyrsa.real build-server-full server nopass
sh ./easyrsa.real build-client-full client nopass
sh ./easyrsa.real gen-dh
openvpn --genkey --secret /usr/local/etc/openvpn/easy-rsa/pki/ta.key
cp -r /usr/local/etc/openvpn/easy-rsa/pki/{ca.crt,dh.pem,ta.key,issued,private} /usr/local/etc/openvpn/server/
- Edit /usr/local/etc/openvpn/server/server.conf
port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/server/ca.crt
cert /usr/local/etc/openvpn/server/issued/server.crt
key /usr/local/etc/openvpn/server/private/server.key # This file should be kept secret
dh /usr/local/etc/openvpn/server/dh.pem
topology subnet
server 192.168.101.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
duplicate-cn
keepalive 10 120
tls-auth /usr/local/etc/openvpn/server/ta.key 0 # This file is secret
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
;comp-lzo
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
auth sha512
remote-cert-tls client - Create log directory
mkdir /var/log/openvpn/ - Edit /etc/rc.conf and enable OpenVPN
firewall_enable="YES"
firewall_type="open"
gateway_enable="YES"
natd_enable="YES"
natd_interface="em1"
natd_flags="-dynamic -m"
openvpn_enable=YES
openvpn_configfile="/usr/local/etc/openvpn/server/server.conf"
**em1 is the outgoing network adapter. If you are not sure, check the line that bind your IP
ifconfig_em1="inet 10.10.10.10 netmask 255.255.255.0"
Network adapter name is the string after ifconfig_ (and before = )
- Set up client ovpn profile
client
tls-client
pull
dev tun
proto udp
remote IP-address-of-your-VPN 1194
resolv-retry infinite
nobind
dhcp-option DNS 1.1.1.1
user nobody
group nogroup
persist-key
persist-tun
key-direction 1
tls-auth ta.key 1
compress
verb 3
auth SHA512
remote-cert-tls server
<ca>
content of /usr/local/etc/openvpn/server/ca.crt
</ca>
<cert>
content of /usr/local/etc/openvpn/server/issued/client.crt
</cert>
<key>
content of /usr/local/etc/openvpn/server/private/client.key
</key>
<tls-auth>
content of /usr/local/etc/openvpn/server/ta.key
</tls-auth>
key-direction 1
Optional: (Enable Radius Authen)
- Install OpenVPN Radius Plugin
cd /usr/ports/security/openvpn-auth-radius
make install clean - Copy Sample plugin configure to OpenVPN configuration directory
cp /usr/local/share/examples/openvpn-auth-radius/radiusplugin.cnf /usr/local/etc/openvpn/server - Edit /usr/local/etc/openvpn/server/radiusplugin.cnf. Find OpenVPNConfig and set to
OpenVPNConfig=/usr/local/etc/openvpn/server/server.conf
and bottom, find server { and change the port, IP and secret phase to
server
{
# The UDP port for radius accounting.
acctport=1813
# The UDP port for radius authentication.
authport=1812
# The name or ip address of the radius server.
name=IP-or-hostname.of.your.radius
# How many times should the plugin send the if there is no response?
retry=1
# How long should the plugin wait for a response?
wait=1
# The shared secret.
sharedsecret=secret-phase-for-free-radius
} - Edit Openvpn config file (server.conf). Add the following to the end of file
plugin /usr/local/lib/radiusplugin.so /usr/local/etc/openvpn/server/radiusplugin.cnf - Edit Client ovpn file and add the following line
auth-user-pass