Monday, October 15, 2012

Setting up OpenVPN on FreeBSD

I've found a few tricks to help improve OpenVPN setup on FreeBSD. First off, there's a reasonably good PERL script that makes the process a bit easier. Install security/ssl-admin.

Next, set up your /usr/local/etc/openvpn/server.conf file:

proto udp
port 1194
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 172.17.2.0 255.255.255.0

# Makes a local area network available to other clients
# This could be the IP block of your home network
push "route 192.168.1.0 255.255.255.0"
ifconfig-pool-persist ipp.txt
comp-lzo
client-to-client
duplicate-cn
user nobody
group nobody
keepalive 10 120
persist-key
persist-tun
status openvpn-status.log
verb 4
crl-verify /usr/local/etc/openvpn/crl.pem

Edit /usr/local/etc/ssl-admin/ssl-admin.conf.default and save as ssl-admin.conf in the same directory. Examples for the United States are shown below:

$ENV{'KEY_COUNTRY'} = "US";
$ENV{'KEY_PROVINCE'} = "CA";
$ENV{'KEY_CITY'} = "PASADENA";
$ENV{'KEY_ORG'} = "FOOBAR.NET";
$ENV{'KEY_EMAIL'} = 'CATS@FELINEHA.US';
Next, use the ssl-admin tool to create server certificates. Launch ssl-admin. You're presented with a "user-friendly" menu, but the menu requires knowledge about ssl certificate exchange. This knowledge isn't really necessary in order to set up a server. When the program initially executes, it will automatically ask you to create a certificate authority (CA) identity. Make sure you encrypt this certificate with a password. Next, choose options dh, and option S. Option S will prompt you for an "owner name." To make things less confusing, type "server" as the owner name.

Once these certificates have been generated, you'll want to copy them into your OpenVPN configuration directory:

cd /usr/local/etc/ssl-admin/active
sudo cp server.crt server.key ca.crt ../prog/crl.pem ../dh2048.pem /usr/local/etc/openvpn/

Edit /etc/rc.conf and add the lines:
# OpenVPN Server openvpn_enable="YES" openvpn_configfile="/usr/local/etc/openvpn/server.conf"

Configure your firewall to allow traffic into OpenVPN. If you use ipfilter, add the following lines to your /etc/ipf.rules file and then restart the ipfilter service:
# OpenVPN
pass in quick on XXXX proto udp from any to any port = 1194 keep frags
Now you should be able to start the OpenVPN server.
/usr/local/etc/rc.d/openvpn start

Server configuration is complete! Now you can create certificates for clients. I suggest creating  /usr/local/etc/openvpn/client.conf:
client
dev tun
proto udp
remote server.felineha.us
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
ca ca.crt
cert client.crt
key client.key
verb 3

Make a symlink so this configuration is included in the client configuration archive:
ln -s /usr/local/etc/openvpn/client.conf /usr/local/etc/ssl-admin/packages/client.ovpn

Using the ssl-admin tool, choose option (4) to create certificates for a client. The script will prompt you for another owner name -- choose something that is descriptive of the remote host so that you can figure out what certificate is for what host.

When the script asks you "Can I move signing request (xxxx.csr) to the csr directory for archiving?", choose Yes. After the script creates the certificate for the remote host, choose option (z).

Although this blog post will get you started, some of the methods used are dated. Apparently Ubuntu 10.10 now allows import of  pkcs12 .p12 files. Essentially, these files replace the archive created by ssl-admin's option (z).

No comments: