CS & IT Solutions

This howto is a quick a dirty guide to building OpenVPN on a FreeBSD box (running pf as the firewall), and then connecting a Windows XP client to it.

Server Install

First install the port

cd /usr/ports/security/openvpn
make install

Now that the port is installed you can start setting stuff up.

First edit your /etc/rc.conf and add the following line:-

openvpn_enable=”YES”

Now create the config files, which we will place in /usr/local/etc/openvpn:-

cd /usr/local/etc/
mkdir openvpn
cd openvpn

vim openvpn.conf

Place this into your config file:-

# Specify device
dev tun

# Server and client IP and Pool
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

# Certificates for VPN Authentication
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/server.crt
key /usr/local/etc/openvpn/keys/server.key
dh /usr/local/etc/openvpn/keys/dh1024.pem

# Routes to push to the client
push "route 192.168.0.0 255.255.255.0"

# Use compression on the VPN link
comp-lzo

# Make the link more resistant to connection failures

keepalive 10 60
ping-timer-rem
persist-tun
persist-key

# Run OpenVPN as a daemon and drop privileges to user/group nobody user nobody
group nobody
daemon

Creating Certificates

cp -r /usr/local/share/doc/openvpn/easy-rsa /home/myuser/ cd /home/myuser/easy-rsa

Now edit the “vars” file to set your specific details and set the environment variables you have just created and build the Certificate Authority certificates:-

NOTE: Very Important Step for FreeBSD/TCSH users

FreeBSD ships with tcsh as its native shell, at the time of writing the following scripts do not work. To get around this you must drop down to a bourne shell. To do this just type the following at a prompt:-

sh

Now you can carry on with building the certificates, once you have built them you can exit back out to tcsh.

. vars
./clean-all
./build-ca

You will have to answer a few questions on the last step, once this has been done your CA certs will be created in the keys subdirectory.

Generate certificate & key for server:-

./build-key-server server

Again answer the questions and the certs will be placed in the keys subdirectory.

Generate certificates & keys for 3 clients (each client will require their own certificates, if multiple clients log in with the same certs then they will be assigned the same ips and will kick each other off the network):-

Generating client certificates is very similar to the previous step. You need to ensure that all your details are the same as for the CA, apart from the common name, which needs to be different for each client. For the sake of clarity this should relate to person who is assigned this vpn certificate. All of these details can be found in keys/server.crt for the server and keys/client*.crt for the client details.

./build-key client1
./build-key client2
./build-key client3

Generate Diffie Hellman parameters

Diffie Hellman parameters must be generated for the OpenVPN server:-

./build-dh

Now copy the whole keys directory to /usr/local/etc/openvpn:-

cp -r keys /usr/local/etc/openvpn/

Logging

Before starting OpenVPN I also moved the logging (which defaults to /var/log/messages). Edit syslog.conf:-

vim /etc/syslog.conf

Add the following entry:-

!openvpn
*.*    /var/log/openvpn.log

Create log file:-

touch /var/log/openvpn.log

Restart syslogd:-

killall -HUP syslogd

Now start OpenVPN:-

/usr/local/etc/rc.d/openvpn.sh start

Check /var/log/openvpn.log for errors, then check that the device has been created. Mine looks like this:-

[achilles] ~# ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet6 fe80::2d0:b7ff:fe49:b2bb%tun0 prefixlen 64 scopeid 0x5
inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
Opened by PID 43878

Firewall Configuration

Now we need to alter PF to handle the VPN, below are the relevant sections of my /etc/pf.conf file:-

# VPN Interface
<code>vpn_if="tun0"

# VPN Network
<code>vpn_network="10.8.0.0/24"

# NAT the VPN connections (for access to the remote secure networks)
nat on $ext_if from $vpn_network to any -> ($ext_if)

# VPN connections inbound
pass in on $ext_if proto udp from any to port 1194 keep state
pass quick on $vpn_if

Now restart PF and your server will be ready for connections

Client setup

First download and install the GUI version of the client, which can be found here:-

http://www.openvpn.se

Once this is installed you will need to copy the following files from your server /usr/local/etc/openvpn/keys directory to the Windows PC C:\Program Files\Openvpn\config directory (this should be done in as secure a manner as possible, i.e. USB Stick or floppy rather than email!!!):-

ca.crt
client1.crt
client1.key

NOTE: For the next client you will need to copy the client2.crt and client2.key files to prevent issues later.

Create config file:-

create a myvpn.ovpn file in C:\Program Files\Openvpn\config and insert the following:-

client
remote my.openvpn.server 1194
dev tun
comp-lzo

ca ca.crt
cert client1.crt
key client1.key

# Set log file verbosity.
verb 3

Turn off the firewall for the new Interface:-

On Windows XP, the firewall can be accessed by Control Panel -> Security Center -> Windows Firewall -> Advanced. In the Network Connection Settings control, uncheck the box corresponding to the TAP-Win32 adapter.

Now right-click the OpenVPN Icon in your Taskbar and click “connect”. Once connected try pinging the remote interface and check (using tracert) that the remote network is available. Use tcpdump on the server to check traffic too:-

tcpdump -tt -i tun0

More Information:-

OpenVPN website http://www.openvpn.net

source here