How to Set Up a VPN Server Using OpenVPN on FreeBSD Operating System

This article provides a step-by-step guide on how to set up a VPN server using OpenVPN on FreeBSD, a popular Unix-like operating system.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  6 minute read  

In today’s interconnected world, privacy and security are paramount. Whether you’re a business professional, a remote worker, or simply someone who values online privacy, setting up a Virtual Private Network (VPN) server can be an excellent way to secure your internet connection. A VPN encrypts your internet traffic, making it difficult for third parties to intercept or monitor your online activities. One of the most popular and reliable tools for setting up a VPN server is OpenVPN, an open-source software that provides robust security and flexibility.

In this article, we will walk you through the process of setting up an OpenVPN server on FreeBSD, a powerful and secure Unix-like operating system. FreeBSD is known for its performance, scalability, and advanced networking capabilities, making it an ideal choice for hosting a VPN server. By the end of this guide, you will have a fully functional OpenVPN server running on FreeBSD, ready to secure your internet connections.

Prerequisites

Before we dive into the setup process, ensure that you have the following prerequisites in place:

  1. A FreeBSD Server: You need a FreeBSD server with root access. This can be a physical machine, a virtual private server (VPS), or a cloud instance.
  2. Basic Knowledge of FreeBSD: Familiarity with FreeBSD’s package management, file system, and command-line interface will be helpful.
  3. Static IP Address or Domain Name: Your server should have a static IP address or a domain name that points to it. This is necessary for clients to connect to the VPN server.
  4. OpenVPN Client Software: You will need OpenVPN client software installed on the devices you plan to connect to the VPN (e.g., Windows, macOS, Linux, Android, or iOS).

Step 1: Update FreeBSD and Install OpenVPN

Before installing any software, it’s a good practice to update your FreeBSD system to ensure that you have the latest security patches and software updates.

  1. Update the FreeBSD System:

    sudo freebsd-update fetch
sudo freebsd-update install

  2. Update the Package Repository:

    sudo pkg update

  3. Install OpenVPN:

    sudo pkg install openvpn

    This command installs OpenVPN along with its dependencies.

Step 2: Configure the OpenVPN Server

Once OpenVPN is installed, the next step is to configure the server. OpenVPN uses configuration files to define how the server should operate.

  1. Copy the Sample Configuration Files: OpenVPN provides sample configuration files that you can use as a starting point. Copy these files to the /usr/local/etc/openvpn directory:

    sudo cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn/

  2. Edit the Server Configuration File: Open the server.conf file in a text editor:

    sudo ee /usr/local/etc/openvpn/server.conf

    Here are some key settings you may want to modify:

    • Port: By default, OpenVPN uses port 1194. You can change this to any unused port if needed.

      port 1194

    • Protocol: OpenVPN can use either UDP or TCP. UDP is generally faster, but TCP can be more reliable in some network conditions.

      proto udp

    • Network Settings: Define the private IP address range that the VPN will use. For example:

      server 10.8.0.0 255.255.255.0

    • Encryption: OpenVPN supports various encryption methods. The default settings are usually sufficient, but you can customize them if needed.

      cipher AES-256-CBC

    • Authentication: Enable TLS authentication for added security.

      tls-auth ta.key 0

    • Client Configuration: Push DNS settings to clients to ensure their traffic is routed through the VPN.

      push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

    Save and close the file when you’re done.

Step 3: Generate Certificates and Keys

OpenVPN uses Public Key Infrastructure (PKI) to authenticate clients and servers. You need to generate a Certificate Authority (CA) certificate, a server certificate, and client certificates.

  1. Install Easy-RSA: Easy-RSA is a utility that simplifies the process of generating certificates and keys. Install it using the following command:

    sudo pkg install easy-rsa

  2. Set Up the PKI Directory: Copy the Easy-RSA sample files to a new directory:

    sudo cp -r /usr/local/share/easy-rsa /usr/local/etc/openvpn/easy-rsa

  3. Edit the vars File: Navigate to the Easy-RSA directory and edit the vars file to set your organization’s details:

    cd /usr/local/etc/openvpn/easy-rsa
sudo ee vars

    Modify the following lines to reflect your organization:

    export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="San Francisco"
export KEY_ORG="Your Organization"
export KEY_EMAIL="admin@yourorganization.com"
export KEY_OU="IT"

  4. Generate the Certificates and Keys: Run the following commands to generate the CA certificate, server certificate, and Diffie-Hellman parameters:

    sudo ./easyrsa init-pki
sudo ./easyrsa build-ca
sudo ./easyrsa build-server-full server nopass
sudo ./easyrsa gen-dh

    These commands will create the necessary files in the pki directory.

  5. Copy the Certificates and Keys: Copy the generated files to the OpenVPN configuration directory:

    sudo cp pki/ca.crt /usr/local/etc/openvpn/
sudo cp pki/issued/server.crt /usr/local/etc/openvpn/
sudo cp pki/private/server.key /usr/local/etc/openvpn/
sudo cp pki/dh.pem /usr/local/etc/openvpn/

Step 4: Configure the Firewall

FreeBSD uses pf (Packet Filter) as its default firewall. You need to configure pf to allow OpenVPN traffic.

  1. Edit the pf.conf File: Open the pf.conf file in a text editor:

    sudo ee /etc/pf.conf

  2. Add the Following Rules: Add the following rules to allow OpenVPN traffic (assuming you’re using the default port 1194 and UDP protocol):

    pass in quick proto udp from any to any port 1194
pass out quick proto udp from any to any port 1194

  3. Reload the Firewall: Reload the firewall to apply the new rules:

    sudo pfctl -f /etc/pf.conf

Step 5: Enable and Start the OpenVPN Service

Now that everything is configured, you can enable and start the OpenVPN service.

  1. Enable the OpenVPN Service: Add the following line to /etc/rc.conf to enable OpenVPN at boot:

    openvpn_enable="YES"

  2. Start the OpenVPN Service: Start the OpenVPN service using the following command:

    sudo service openvpn start

    You can check the status of the service to ensure it’s running:

    sudo service openvpn status

Step 6: Generate Client Configuration Files

Each client that connects to the VPN needs a configuration file and a certificate. You can generate these using Easy-RSA.

  1. Generate a Client Certificate: Run the following command to generate a client certificate (replace client1 with your desired client name):

    sudo ./easyrsa build-client-full client1 nopass

  2. Create a Client Configuration File: Create a new directory for client configuration files:

    sudo mkdir /usr/local/etc/openvpn/clients

    Copy the sample client configuration file to the new directory:

    sudo cp /usr/local/share/examples/openvpn/sample-config-files/client.conf /usr/local/etc/openvpn/clients/client1.ovpn

    Edit the client1.ovpn file to include the client certificate and key:

    sudo ee /usr/local/etc/openvpn/clients/client1.ovpn

    Add the following lines to the file:

    <ca>
-----BEGIN CERTIFICATE-----
(Contents of ca.crt)
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
(Contents of client1.crt)
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
(Contents of client1.key)
-----END PRIVATE KEY-----
</key>

    Save and close the file.

  3. Transfer the Client Configuration File: Securely transfer the client1.ovpn file to the client device. You can use scp or any other secure method.

Step 7: Connect to the VPN

On the client device, install the OpenVPN client software and import the client1.ovpn file. Once imported, connect to the VPN using the client software.

Conclusion

Setting up an OpenVPN server on FreeBSD is a straightforward process that provides a secure and private internet connection for you and your clients. By following this guide, you have configured an OpenVPN server, generated certificates, and set up client configurations. With your VPN server up and running, you can now enjoy enhanced privacy and security for your online activities.

Remember to regularly update your FreeBSD system and OpenVPN software to protect against vulnerabilities. Additionally, consider implementing additional security measures, such as two-factor authentication or intrusion detection systems, to further secure your VPN server.

By taking the time to set up a VPN server, you are investing in your online privacy and security, ensuring that your internet connections remain private and protected from prying eyes.


< How to Monitor Bandwidth Usage with iftop on FreeBSDHow to Block IP Addresses with PF >