VPN or Virtual Private Network is a private network across the public network - mean internet. VPN provide a secure network connection over the internet or a private network owned by service provider. VPN is one of the smartest solution for improving your online "PRIVACY", using some security protocol such as IPSec(Internet Protocol Security), SSL/TLS(Transport Layer Security), PPTP(Point-to-Point Tunneling Protocol), or even you can use SSH(Secure Shell) to secure remote connection, usually called port forwarding - but we do not recommend.
OpenVPN is an open-source project provide a secure connection with virtual private network implemented. It is flexible, reliable and secure. Openvpn use openssl library to provide the secure encryption, and can run under UDP and TCP protocol with IPv4 and IPv6 support. Designed to work with TUN/TAP virtual network interface that available on the most platform. Openvpn provide many ways for users in it's use, you can use a username/password based, certificate-based for authentication.
In this tutorial we will try to install "OpenVPN in FreeBSD 10.2 with certificate-based authentication", so if someone has the certificate, they can use the Our VPN.
Prerequisites
- FreeBSD 10.2
- Root privileges
Step 1 - Update the System
Before you begin the installation, make sure your system is up to date. Please use "freebsd-update" to update :
freebsd-update fetch
freebsd-update install
Step 2 - Install OpenVPN
You can install open vpn via freebsd ports in directory "/usr/ports/openvpn/" or you can install with binary packages method - with "pkg" command. In this tutorial I use a pkg command. Let`s install with following command :
pkg install openvpn
The command will install "easy-rsa" and "lzo2" packages that needed by openvpn.
Step 3 - Generate Server Certificate and Keys
We need a "easy-rsa" packages for generating the server key and certificate, and that is installed on our freebsd.
So now please make new directory for openvpn and our key :
mkdir -p /usr/local/etc/openvpn/
Next, copy the easy-rsa directory in "/usr/local/share/" to the openvpn directory :
cp -R /usr/local/share/easy-rsa /usr/local/etc/openvpn/easy-rsa/
Go to the openvpn easy-rsa directory, and then make all file there excutable with "chmod" command.
cd /usr/local/etc/openvpn/easy-rsa/
chmod +x *
You must generate encryption certificate in easy-rsa directory :
. ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/local/etc/openvpn/easy-rsa/keys./clean-all
Next, we want to generate 4 key and certificate :
- CA(Certificate Authority) key
- Server key and certificate
- Client key and Certificate
- DIFFIE-HELLMAN PARAMETERS(necessary for the server end of a SSL/TLS connection)
Generate ca.key
In the easy-rsa directory, please run command above :
./build-ca
Enter your information about the state, country, email etc. You can use a default by press "Enter". That command will generate a ca.key and ca.crt in "keys/" directory.
Generate server key and certificate
Generate server key with "build-key-server nameofserverkey", and we use "server" as our server name.
./build-key-server server
Enter your information about the state, country, email etc. You can use a default by press "Enter". And type "y" to confirm all info.
Generate the client key and certificate
Generate the client key and certificate with "build-key nameofclientkey" command in easy-rsa directory. in this tutorial wi will use "client" for our cliant name.
./build-key client
Enter your information about the state, country, email etc. You can use a default by press "Enter". And type "y" to confirm all info.
Generate dh parameters
Default key size in freebsd 10.2 for dh parameters is 2048-bit keys. It is a strong, although you can also make more secure and strong by using 4096-bit keys, but it make a slow the handshake process.
./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time
And now all certificate is created under keys directory - "/usr/local/etc/easy-rsa/keys/". And the last you need to copy keys directory to openvpn.
cp -R keys ../../
cd ..
lltotal 40
drwxr-xr-x 4 root wheel 512 Sep 21 00:57 easy-rsa
drwx------ 2 root wheel 512 Sep 21 00:59 keys
Step 4 - Configure OpenVPN
In this step we will configure the openvpn with all key and certificate we have created before. We need to copy the openvpn configuration file from directory "/usr/local/share/examples/openvpn/sample-config-files/" to our openvpn directory "/usr/local/etc/openvpn/".
cp /usr/local/share/examples/openvpn/sample-config-files/server.conf/usr/local/etc/openvpn/server.conf
cd /usr/local/etc/openvpn/
Next, edit "server.conf" file with nano, if you haven't it, please install it with command :
pkg install nano
Now edit the file :
nano -c server.conf
Note : -c for show line number in nano editor.
In the line 32, you need to configure the port that used by openvpn. I will use default port :
port 1194
I'm UDP protocol, it is default configuration, line 36 :
proto UDP
Next, go to the line 78 to configure the certificate authority(CA), Server key, Client key and dh parameter.
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/server.crt
key /usr/local/etc/openvpn/keys/server.key #our server key
dh /usr/local/etc/openvpn/keys/dh2048.pem
And please configure the private ip that using by openvpn and the client in that network, please go to the line 101. I will leave default ip.
server 10.8.0.0 255.255.255.0
The last configure the log file in the line 280. we will that log file in "/var/log/openvpn/" directory.
status /var/log/openvpn/openvpn-status.log
and in the line 289 :
log /var/log/openvpn/openvpn.log
Save and Exit. And now please create the file for store the log :
mkdir -p /var/log/openvpn/
touch /var/log/openvpn/{openvpn, openvpn-status}.log
Step 5 - Enable Port Forwarding and Add OpenVPN to the Startup
To enable port forwrding in freebsd you can use sysctl command :
sysctl net.inet.ip.forwarding=1
Add the openvpn to the boot time by editing "rc.conf" file :
nano rc.conf
add to the end of the line below :
gateway_enable="YES"
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/server.conf"
openvpn_if="tap"
Save and Exit.
Step 6 - Start OpenVPN
start openvpn wit service command:
service openvpn start
And check that openvpn is running by checking the port that used by openvpn :
sockstat -4 -l
You can see that port 1194 is opening and used by openvpn.
Step 7 - Configure the Client
As the client, please download the certificate file :
- ca.crt
- client.crt
- client.key
Copy that three file to the home directory, and change the permission to the user taht use to login with ssh :
cd /usr/local/etc/openvpn/keys/
cp ca.crt client.crt client.key /home/myuser/
cd /home/myuser/
chown myuser:myuser ca.crt client.crt client.key
And then Download that's cetificate to your client, I'm here use linux so i just need to download it with scp command :
scp myuser@192.168.1.100:~/ca.crt myvpn/
scp myuser@192.168.1.100:~/client.crt myvpn/
scp myuser@192.168.1.100:~/client.key myvpn/
Please create client file configuration :
nano client.ovpn
Please add the code below :
client
dev tun
proto udp
remote 192.168.1.100 1194 #ServerIP and Port used by openvpn
resolv-retry infinite
nobind
user nobody
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3
Save and Exit.
Now you see the files that belong to the client :
ll
total 20K
-rw-r--r--. 1 myuser myuser 1.8K Sep 21 03:09 ca.crt
-rw-r--r--. 1 myuser myuser 5.4K Sep 21 03:09 client.crt
-rw-------. 1 myuser myuser 1.7K Sep 21 03:09 client.key
-rw-rw-r--. 1 myuser myuser 213 Sep 20 00:13 client.ovpn
Step 8 - Testing OpenVPN
This is time test the openvpn, please connect to the openvpn server with openvpn file that we have. And connect with command :
cd myopenvpn/
sudo openvpn --config client.ovpn
And we have connected with the vpn, and we have private ip : 10.8.0.6.
Openvpn Successfully.
Another test :
ping private ip for the client from the freebsd server :
ping 10.8.0.6
and from the client, I connect to the freebsd server with private ip that running openvpn 10.8.0.1.
ssh myuser@10.8.0.1
And all successfully, we are connected.
Conclusion
VPN or Virtual Private Network is a secure and private network in public network(Internet). Openvpn is open-source project that implement virtual private network technology, Openvpn secure your traffic and encrypt it use OpenSSL Libraries. OpenVPN is easy to deploy and install in your own server, this is one of the best solution if you want to protect your online "PRIVACY".
The post How to Install and Configure OpenVPN in FreeBSD 10.2 appeared first on LinOxide.