Anonymous asked in Computers & InternetSecurity · 1 decade ago

How do you setup OpenVPN with FreeBSD + PF and Windows?

I need to setup an OpenVPN server to provide access to my linux vps hosting cluster , giving windows clients access to the internal network. Does anyone know how to do this?

1 Answer

  • 1 decade ago
    Favorite Answer

    OpenVPN with FreeBSD, PF and Windows

    This howto is a quick a dirty guide to building OpenVPN on a FreeBSD box (running pf as the firewall), and then connecting a Windows XP client to it. Server Install

    [edit] Install the port

    cd /usr/ports/security/openvpn

    make install

    [edit] Start setting stuff up

    First edit your /etc/rc.conf and add the following line:-


    Now create the config files, which we will place in /usr/local/etc/openvpn:-

    cd /usr/local/etc/

    mkdir openvpn

    cd openvpn

    vim openvpn.conf

    Place this into your config file:-

    # Specify device

    dev tun

    # Server and client IP and Pool


    ifconfig-pool-persist ipp.txt

    # Certificates for VPN Authentication

    ca /usr/local/etc/openvpn/keys/ca.crt

    cert /usr/local/etc/openvpn/keys/server.crt

    key /usr/local/etc/openvpn/keys/server.key

    dh /usr/local/etc/openvpn/keys/dh1024.pem

    # Routes to push to the client

    push "route"

    # Use compression on the VPN link


    # Make the link more resistant to connection failures

    keepalive 10 60




    # Run OpenVPN as a daemon and drop privileges to user/group nobody user nobody

    group nobody


    [edit] Creating Certificates

    cp -r /usr/local/share/doc/openvpn/easy-rsa /home/myuser/ cd /home/myuser/easy-rsa

    Now edit the “vars” file to set your specific details and set the environment variables you have just created and build the Certificate Authority certificates:-

    NOTE: Very Important Step for FreeBSD/TCSH users

    FreeBSD ships with tcsh as its native shell, at the time of writing the following scripts do not work. To get around this you must drop down to a bourne shell. To do this just type the following at a prompt:-


    Now you can carry on with building the certificates, once you have built them you can exit back out to tcsh.

    . vars



    You will have to answer a few questions on the last step, once this has been done your CA certs will be created in the keys subdirectory.

    Generate certificate & key for server:-

    ./build-key-server server

    Again answer the questions and the certs will be placed in the keys subdirectory.

    Generate certificates & keys for 3 clients (each client will require their own certificates, if multiple clients log in with the same certs then they will be assigned the same ips and will kick each other off the network):-

    Generating client certificates is very similar to the previous step. You need to ensure that all your details are the same as for the CA, apart from the common name, which needs to be different for each client. For the sake of clarity this should relate to person who is assigned this vpn certificate. All of these details can be found in keys/server.crt for the server and keys/client*.crt for the client details.

    ./build-key client1

    ./build-key client2

    ./build-key client3

    Generate Diffie Hellman parameters

    Diffie Hellman parameters must be generated for the OpenVPN server:-


    Now copy the whole keys directory to /usr/local/etc/openvpn:-

    cp -r keys /usr/local/etc/openvpn/

    [edit] Logging

    Before starting OpenVPN I also moved the logging (which defaults to /var/log/messages). Edit syslog.conf:-

    vim /etc/syslog.conf

    Add the following entry:-


    *.* /var/log/openvpn.log

    Create log file:-

    touch /var/log/openvpn.log

    Restart syslogd:-

    killall -HUP syslogd

    Now start OpenVPN:-

    /usr/local/etc/rc.d/ start

    Check /var/log/openvpn.log for errors, then check that the device has been created. Mine looks like this:-

    [achilles] ~# ifconfig tun0

    tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500

    inet6 fe80::2d0:b7ff:fe49:b2bb%tun0 prefixlen 64 scopeid 0x5

    inet --> netmask 0xffffffff

    Opened by PID 43878

    [edit] Firewall Configuration

    Now we need to alter PF to handle the VPN, below are the relevant sections of my /etc/pf.conf file:-

    # VPN Interface


    # VPN Network


    # NAT the VPN connections (for access to the remote secure networks)

    nat on $ext_if from $vpn_network to any -> ($ext_if)

    # VPN connections inbound

    pass in on $ext_if proto udp from any to port 1194 keep state

    pass quick on $vpn_if

    Now restart PF and your server will be ready for connections

    [edit] Client setup

    First download and install the GUI version of the client, which can be found here:-

    Once this is installed you will need to copy the following files from your server /usr/local/etc/openvpn/keys directory to the Windows PC C:\Program Files\Openvpn\config directory (this should be done in as secure a manner as possible, i.e. USB Stick or floppy rather than email!!!):-




    NOTE: For the next client you will need to copy the client2.crt and client2.key files to prevent issues later.

Still have questions? Get your answers by asking now.