OpenVPN with FreeBSD, PF and Windows XP
This howto is a quick a dirty guide to building OpenVPN on a FreeBSD box (running pf as the firewall), and then connecting a Windows XP client to it.
Server Install
First install the port
cd /usr/ports/security/openvpn
make install
Now that the port is installed you can start setting stuff up.
First edit your /etc/rc.conf and add the following line:-
openvpn_enable=”YES”
Now create the config files, which we will place in /usr/local/etc/openvpn:-
cd /usr/local/etc/
mkdir openvpn
cd openvpn
vim openvpn.conf
Place this into your config file:-
# Specify device
dev tun
# Server and client IP and Pool
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# Certificates for VPN Authentication
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/server.crt
key /usr/local/etc/openvpn/keys/server.key
dh /usr/local/etc/openvpn/keys/dh1024.pem
# Routes to push to the client
push "route 192.168.0.0 255.255.255.0"
# Use compression on the VPN link
comp-lzo
# Make the link more resistant to connection failures
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
# Run OpenVPN as a daemon and drop privileges to user/group nobody user nobody
group nobody
daemon
Creating Certificates
cp -r /usr/local/share/doc/openvpn/easy-rsa /home/myuser/ cd /home/myuser/easy-rsa
Now edit the “vars” file to set your specific details and set the environment variables you have just created and build the Certificate Authority certificates:-
NOTE: Very Important Step for FreeBSD/TCSH users
FreeBSD ships with tcsh as its native shell, at the time of writing the following scripts do not work. To get around this you must drop down to a bourne shell. To do this just type the following at a prompt:-
sh
Now you can carry on with building the certificates, once you have built them you can exit back out to tcsh.
. vars
./clean-all
./build-ca
You will have to answer a few questions on the last step, once this has been done your CA certs will be created in the keys subdirectory.
Generate certificate & key for server:-
./build-key-server server
Again answer the questions and the certs will be placed in the keys subdirectory.
Generate certificates & keys for 3 clients (each client will require their own certificates, if multiple clients log in with the same certs then they will be assigned the same ips and will kick each other off the network):-
Generating client certificates is very similar to the previous step. You need to ensure that all your details are the same as for the CA, apart from the common name, which needs to be different for each client. For the sake of clarity this should relate to person who is assigned this vpn certificate. All of these details can be found in keys/server.crt for the server and keys/client*.crt for the client details.
./build-key client1
./build-key client2
./build-key client3
Generate Diffie Hellman parameters
Diffie Hellman parameters must be generated for the OpenVPN server:-
./build-dh
Now copy the whole keys directory to /usr/local/etc/openvpn:-
cp -r keys /usr/local/etc/openvpn/
Logging
Before starting OpenVPN I also moved the logging (which defaults to /var/log/messages). Edit syslog.conf:-
vim /etc/syslog.conf
Add the following entry:-
!openvpn
*.* /var/log/openvpn.logCreate log file:-
touch /var/log/openvpn.log
Restart syslogd:-
killall -HUP syslogd
Now start OpenVPN:-
/usr/local/etc/rc.d/openvpn.sh start
Check /var/log/openvpn.log for errors, then check that the device has been created. Mine looks like this:-
[achilles] ~# ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet6 fe80::2d0:b7ff:fe49:b2bb%tun0 prefixlen 64 scopeid 0x5
inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
Opened by PID 43878Firewall Configuration
Now we need to alter PF to handle the VPN, below are the relevant sections of my /etc/pf.conf file:-
# VPN Interface
vpn_if="tun0"
# VPN Network
vpn_network="10.8.0.0/24"
# NAT the VPN connections (for access to the remote secure networks)
nat on $ext_if from $vpn_network to any -> ($ext_if)
# VPN connections inbound
pass in on $ext_if proto udp from any to port 1194 keep state
pass quick on $vpn_if
Now restart PF and your server will be ready for connections
Client setup
First download and install the GUI version of the client, which can be found here:-
Once this is installed you will need to copy the following files from your server /usr/local/etc/openvpn/keys directory to the Windows PC C:\Program Files\Openvpn\config directory (this should be done in as secure a manner as possible, i.e. USB Stick or floppy rather than email!!!):-
ca.crt
client1.crt
client1.key
NOTE: For the next client you will need to copy the client2.crt and client2.key files to prevent issues later.
Create config file:-
create a myvpn.ovpn file in C:\Program Files\Openvpn\config and insert the following:-
client
remote my.openvpn.server 1194
dev tun
comp-lzo
ca ca.crt
cert client1.crt
key client1.key
# Set log file verbosity.
verb 3
Turn off the firewall for the new Interface:-
On Windows XP, the firewall can be accessed by Control Panel -> Security Center -> Windows Firewall -> Advanced. In the Network Connection Settings control, uncheck the box corresponding to the TAP-Win32 adapter.
Now right-click the OpenVPN Icon in your Taskbar and click “connect”. Once connected try pinging the remote interface and check (using tracert) that the remote network is available. Use tcpdump on the server to check traffic too:-
tcpdump -tt -i tun0
More Information:-
OpenVPN website http://www.openvpn.net
Disclaimer
Please be aware that these “howtos” are generally a work in progress so please feel free to add comments!
Tags: freebsd, openvpn, pf, windows xp
Intrested in running OpenVPN in Bridged mode? Then check out this website:-
http://rmccurdy.com/scripts/openvpn%20freebsd%20bridged.html
Courtesy of http://rmccurdy.com
Hi there, I was looking around for a while searching for remote network security and I happened upon this site and your post regarding OpenVPN with FreeBSD, PF and Windows XP, I will definitely this to my remote network security bookmarks!
Thanks so much, those firewall rules were just what I needed!
[...] Connecting a Windows machine to the FreeBSD gated VPN is a little more work. Probably the simplest of all solutions is OpenVPN again (http://www.openvpn.se/), install notes (http://www.openvpn.se/install.txt). I found a fairly good guide to doing all the setup on both ends right here which should get you up and running (http://www.ubergeek.co.uk/blog/2008/05/openvpn-freebsd-pf-windows-howto/). [...]
[...] http://www.ubergeek.co.uk/blog/2008/05/openvpn-freebsd-pf-windows-howto/ [...]
thanks, this guide proved very helpful to me
Hi, thank you very much for this detailed howto. I hope its OK that I translate it into swedish and post to my blog http://www.lweb.se
Hi Ludwig, please be my guest!
Glad it was helpful.
[...] Från: http://www.ubergeek.co.uk/blog/2008/05/openvpn-freebsd-pf-windows-howto/ [...]
Thank you! Translated it today.
thanks,it’s work hehehe
Very cool HOWTO, however I’m a total goof when it comes to pf, would it be possible for you to post the entire pf.conf file you use? Because I don’t quite know what other than the bit you mention that I ought to put in there.
Hi Troels
Its a long time since i wrote this howto and i have lots of machines with different pf.conf setups. What sort of setup are you trying to achieve?
I’m doing basically just a stand-alone VPN server doing ethernet bridging, on an existing network (It’s not an Internet gateway doing NAT or anything), I have OpenVPN set up so that clients use the Soekris router as their default gateway. I have my network set up like this:
Internet –> WRT54GL –> Soekris net5501 with pfSense –>
|– 24-port switch –> VPN server
|– WRT54GL
There’s two wireless routers on this network, the second one acts just like a regular access point, doesn’t do NAT or anything on it’s own, the Soekris machine allows clients to log on the wireless network and get an IP via DHCP (Different range from the internal network), and nothing else, except connecting to 10.0.1.7 on port 1194, which is the VPN on the internal network. Once users log onto that, they are part of the internal network, and can get on the Internet and the like. The VPN server also allows for people on the Internet to connect to it. So that I could go to China, and keep my liberty in cyberspace.
The only thing it does is VPN, so I would like to limit traffic to only VPN, SSH and pings. So far this is what I’ve got:
## Macros
eth_if=”gem0″
vpn_if=”tun0″
## Options
set block-policy return
set skip on lo0
scrub in all
antispoof quick for { $eth_if, $vpn_if }
## Filtering rules
block in all
pass out log all
pass inet proto icmp all icmp-type { echoreq, unreach }
pass in log on $eth_if proto tcp to ($eth_if) port 22
pass in log on $eth_if proto udp to ($eth_if) port 1194
pass in log on $vpn_if
But the VPN doesn’t work with that enabled.