Openvpn Bridge Mode Under freebsd

Openvpn Bridge Mode in freebsd is probably the most popular semi-non-standard cross-platform VPN solution, with a large number of users and a pure userland implementation. it's pretty easy to set up, but I often forget certain steps so here's a tutorial for me to rememeber in the future :) Keywords: FreeBSD, OpenVPN, networkingI call OpenVPN semi-non-standard because it uses its own protocol instead o F L2TP, IPSec or something other blessed by a RFC. openVPN takes care to be secure and offers some flexibility in how it's used-either in a network-bridge mode (L2) or a routed mode (L3 ). for more details, I'll direct you to the project's documentation, but for now, here's how to set it up on FreeBSD in a few easy steps: #1-install it. it's in/usr/ports/security/openvpn. the default timeout Ion is reasonable. #2-create a ssl ca That is, if you don't already have one. then create a certificate for your server and one for each of your client machines. openVPN uses SSL certificates to mutually authenticate clients and servers. #3-create a rc. d symlink This step is necessary both on the server and on the client. go to/usr/local/etc/rc. d and do: ln-s openvpn openvpn_mynetThe "mynet" is The name you give to your VPN. #4-enable it in/etc/rc. conf This symlink will be used by the/etc/rc system to start the openvpn client (or server ), so you need to enable it by adding a line like this in/etc/rc. conf: openvpn_mynet_enable = "YES" #5-create the server config file Create a file named openvpn_mynet.conf in the/usr/local/etc/openvpn directory, containing lines such as these: port 1194 Proto udpdev tap0ca mycacert. pemcert server. crt. pemkey server. key. pemdh dh1024.pemserver-bridge 192.168.1.1 255.255.255.0 192.168.1.250 192.168.1.254comp-lzoifconfig 192.168.1.249 255.255.255.0You need to copy the SSL certificates and the key to this directory, and also create the dh1024.pem file with a command such asopenssl dhparam-out dh1024.pem 1024 Note the following system-specific I On: We use "dev tap0 ". this is because in my setup, I have the following in my/etc/rc. conf: authorization = "tap0 tap1 bridge0" ifconfig_tap0 = "inet 192.168.1.249/24" placement = "addm tap0 addm tap1 addm em0 up" I'm creating two tap devices (I actually have two OpenVPN networks on this machine ), and bridging them all with em0. The ifconfig_tap0 line isn't actually necessary since the config lin E "ifconfig 192.168.1.249 255.255.255.0" will set the IP address on the tap interface being configured. you can also use just "dev tap" instead of "dev tap0" and the tap interface will be auto-created by openvpn, but then you need to bridge it manually. alternatively, you can use "dev tun" to create a L3 tunnel, which doesn' t need bridging, but needs IP routing. our private network range is 192.168. 1.250-192.168.1.254Our gateway interface is 192.168.1.1 #6-Create the client config file Create a file named exactly the same (openvpn_mynet.conf) at the client, and add lines such as the following to it: clientdev tapproto udpresolv-retry infinitenobindpersist-keypersist-tunca mycacert. pemcert client. crtkey client. key. pemcomp-lzoThis is enough for a Windows client, which will do the right thing And create an interface which when es its address from the server (you just need to make sure the certificates and the private key are also copied-the OpenVPN Windows GUI gets confused if they are not ). you cocould also add a line such as the following to have the client assign a static address: ifconfig 192.168.1.150 255.255.255.0You can start the server and the client with the same command: Service openvpn_mynet start (because the config file will determine if the machine is a client or a server), and that shocould be all. Enjoy!