How to Deploy a FreeBSD-Based VPN Gateway on FreeBSD Operating System

Learn how to set up a FreeBSD-based VPN gateway using OpenVPN and IPsec.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  3 minute read  

How to Deploy a FreeBSD-Based VPN Gateway on FreeBSD Operating System

Introduction

Virtual Private Networks (VPNs) have become a critical component for secure communication over the internet. FreeBSD, a powerful and highly secure operating system, is an excellent choice for deploying a VPN gateway due to its stability, advanced networking capabilities, and security features. This guide walks you through the process of setting up a FreeBSD-based VPN gateway using OpenVPN and IPsec.

Prerequisites

Before deploying a FreeBSD-based VPN gateway, ensure that you have the following:

  • A system running FreeBSD (preferably the latest stable release)
  • Root or superuser (sudo) access
  • Basic familiarity with FreeBSD commands and networking
  • A static public IP address (recommended)
  • An understanding of firewall and NAT configuration

Choosing a VPN Protocol

FreeBSD supports multiple VPN implementations. The two most commonly used options are:

  1. OpenVPN – Open-source, highly configurable, supports SSL/TLS encryption, and works well with NAT.
  2. IPsec (StrongSwan) – More integrated with network stacks, ideal for site-to-site connections, and supports hardware acceleration.

For most users, OpenVPN is recommended due to its flexibility and ease of configuration, but IPsec is a great alternative for specific use cases.

Setting Up OpenVPN on FreeBSD

Step 1: Install OpenVPN

First, update the system packages and install OpenVPN:

pkg update && pkg upgrade -y
pkg install openvpn easy-rsa

Step 2: Configure Easy-RSA and Generate Certificates

OpenVPN requires certificates for secure communication. Easy-RSA simplifies certificate management.

  1. Copy Easy-RSA to /etc/openvpn:
cp -r /usr/local/share/easy-rsa /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
  1. Initialize the public key infrastructure (PKI):
echo 'set_var EASYRSA_ALGO ec' > vars
echo 'set_var EASYRSA_CURVE secp384r1' >> vars
./easyrsa init-pki
  1. Generate the Certificate Authority (CA):
./easyrsa build-ca
  1. Create the server certificate and key:
./easyrsa gen-req server nopass
./easyrsa sign-req server server
  1. Generate client certificates:
./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1
  1. Generate Diffie-Hellman parameters:
./easyrsa gen-dh

Step 3: Configure OpenVPN Server

Create a new OpenVPN configuration file:

mkdir -p /usr/local/etc/openvpn/server
vi /usr/local/etc/openvpn/server/server.conf

Add the following configuration:

port 1194
dev tun
proto udp
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
keepalive 10 120
cipher AES-256-CBC
auth SHA256
persist-key
persist-tun
status /var/log/openvpn/status.log
verb 3

Step 4: Enable and Start OpenVPN

Enable OpenVPN at boot:

echo 'openvpn_enable="YES"' >> /etc/rc.conf
echo 'openvpn_configfile="/usr/local/etc/openvpn/server/server.conf"' >> /etc/rc.conf

Start the OpenVPN service:

service openvpn start

Step 5: Configure Firewall and NAT

Enable packet forwarding:

echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf
sysctl net.inet.ip.forwarding=1

Configure PF firewall by editing /etc/pf.conf:

nat on igb0 from 10.8.0.0/24 to any -> (igb0)
pass in on igb1 from 10.8.0.0/24 to any
pass out all keep state

Reload PF:

service pf reload

Setting Up IPsec VPN (StrongSwan) on FreeBSD

Step 1: Install StrongSwan

pkg install strongswan

Step 2: Configure IPsec

Edit the main configuration file:

vi /usr/local/etc/ipsec.conf

Add the following content:

config setup
    uniqueids=never
conn vpn
    keyexchange=ikev2
    left=%defaultroute
    leftid=@vpn.example.com
    leftsubnet=0.0.0.0/0
    right=%any
    rightdns=8.8.8.8
    rightsourceip=10.10.10.0/24
    ike=aes256-sha256-modp2048!
    esp=aes256-sha256!
    dpdaction=clear
    auto=add

Step 3: Generate VPN Credentials

Generate a strong secret key:

echo "vpnuser : EAP 'supersecurepassword'" > /usr/local/etc/ipsec.secrets

Step 4: Enable and Start StrongSwan

Enable StrongSwan at boot:

echo 'strongswan_enable="YES"' >> /etc/rc.conf

Start the service:

service strongswan start

Conclusion

Deploying a VPN gateway on FreeBSD is straightforward and provides robust security for remote access or site-to-site connections. OpenVPN offers flexibility and ease of use, while StrongSwan (IPsec) provides deep integration with networking stacks. By configuring proper firewall rules and NAT settings, you can ensure a secure and reliable VPN gateway.

With this setup, your FreeBSD-based VPN gateway is ready to provide secure communication across networks!


< How to Configure a Mail Server (Postfix/Dovecot)How to Use `bsdinstall` for Automated Deployments >