=======================================
freebsd openvpn server
---------------------------------------

by o1

FreeBSD condo 13.1-RELEASE-p7 FreeBSD 13.1-RELEASE-p7 GENERIC amd64


=======================================
network
---------------------------------------

lan igb0:    192.168.30.38/24

public igb1: 99.99.99.99/32

openvpn:     10.11.12.0/24


=======================================
add static routes to other lan machines (optional)
---------------------------------------

# freebsd /etc/rc.conf
static_routes="openvpn"
route_openvpn="-net 10.11.12.0/24 192.168.30.38"

---------------------------------------

# linux /etc/network/interfaces
up route add -net 10.11.12.0/24 gw 192.168.30.38 dev enp0s3

---------------------------------------

# windows
route -p ADD 10.11.12.0 MASK 255.255.255.0 192.168.30.38


=======================================
install OpenVPN
---------------------------------------

pkg install openvpn


=======================================
/etc/rc.conf
---------------------------------------

openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/usr/local/etc/openvpn/server.conf"
openvpn_dir="/usr/local/etc/openvpn/"
gateway_enable="YES"


=======================================
setup OpenVPN server
---------------------------------------

mkdir -p /usr/local/etc/openvpn/easy-rsa

cp -r /usr/local/share/easy-rsa/* /usr/local/etc/openvpn/easy-rsa/

cd /usr/local/etc/openvpn/easy-rsa

easyrsa init-pki


=======================================
/usr/local/etc/openvpn/easy-rsa/pki/vars
---------------------------------------

set_var EASYRSA_REQ_COUNTRY     "CA"
set_var EASYRSA_REQ_PROVINCE    "ON"
set_var EASYRSA_REQ_CITY        "Pickering"
set_var EASYRSA_REQ_ORG         "acme"
set_var EASYRSA_REQ_EMAIL       "you@example.com"
set_var EASYRSA_REQ_OU          "Imagination"
set_var EASYRSA_KEY_SIZE        2048
set_var EASYRSA_CA_EXPIRE       36500
set_var EASYRSA_CERT_EXPIRE     36500
set_var EASYRSA_DIGEST          "sha512"


=======================================
/usr/local/etc/openvpn/server.conf
---------------------------------------

port 1194
proto udp4
dev tun
topology subnet
user nobody
group nobody
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh.pem
server 10.11.12.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.30.0 255.255.255.0"
keepalive 10 120
tls-crypt ta.key # This file is secret
data-ciphers AES-256-GCM:AES-128-GCM
data-ciphers-fallback AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1


=======================================
/usr/local/etc/openvpn/client.conf
---------------------------------------

client
dev tun
proto udp4
remote 99.99.99.99 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
mute-replay-warnings
data-ciphers AES-256-GCM:AES-128-GCM
data-ciphers-fallback AES-256-CBC
verb 3
auth-nocache
key-direction 1


=======================================
create certs
---------------------------------------

cd /usr/local/etc/openvpn/easy-rsa

# ca cert
easyrsa build-ca nopass


# server cert
easyrsa build-server-full server nopass


# dh.pem
easyrsa gen-dh


# crl.pem
easyrsa gen-crl


# ta.key
openvpn --genkey secret /usr/local/etc/openvpn/easy-rsa/pki/ta.key


=======================================
copy these files to start server
---------------------------------------

cp /usr/local/etc/openvpn/easy-rsa/pki/ca.crt             /usr/local/etc/openvpn/
cp /usr/local/etc/openvpn/easy-rsa/pki/dh.pem             /usr/local/etc/openvpn/
cp /usr/local/etc/openvpn/easy-rsa/pki/ta.key             /usr/local/etc/openvpn/
cp /usr/local/etc/openvpn/easy-rsa/pki/issued/server.crt  /usr/local/etc/openvpn/
cp /usr/local/etc/openvpn/easy-rsa/pki/private/ca.key     /usr/local/etc/openvpn/
cp /usr/local/etc/openvpn/easy-rsa/pki/private/server.key /usr/local/etc/openvpn/


=======================================
start openvpn server
---------------------------------------

service openvpn start


=======================================
create OpenVPN client certificates for each user
---------------------------------------

cd /usr/local/etc/openvpn/easy-rsa

easyrsa build-client-full john


=======================================
assemble client.ovpn file to import into OpenVPN Client Connect
---------------------------------------

cat /usr/local/etc/openvpn/client.conf                     > /usr/local/etc/openvpn/acme_john.ovpn

echo "<tls-crypt>"                                        >> /usr/local/etc/openvpn/acme_john.ovpn
cat /usr/local/etc/openvpn/easy-rsa/pki/ta.key            >> /usr/local/etc/openvpn/acme_john.ovpn
echo "</tls-crypt>"                                       >> /usr/local/etc/openvpn/acme_john.ovpn

echo "<ca>"                                               >> /usr/local/etc/openvpn/acme_john.ovpn
cat /usr/local/etc/openvpn/easy-rsa/pki/ca.crt            >> /usr/local/etc/openvpn/acme_john.ovpn
echo "</ca>"                                          	  >> /usr/local/etc/openvpn/acme_john.ovpn

echo "<cert>"                                         	  >> /usr/local/etc/openvpn/acme_john.ovpn
cat /usr/local/etc/openvpn/easy-rsa/pki/issued/john.crt   >> /usr/local/etc/openvpn/acme_john.ovpn
echo "</cert>"                                            >> /usr/local/etc/openvpn/acme_john.ovpn

echo "<key>"                                              >> /usr/local/etc/openvpn/acme_john.ovpn
cat /usr/local/etc/openvpn/easy-rsa/pki/private/john.key  >> /usr/local/etc/openvpn/acme_john.ovpn
echo "</key>"                                             >> /usr/local/etc/openvpn/acme_john.ovpn


=======================================
start openvpn client on remote machine or start OpenVPN Client Connect
---------------------------------------

openvpn acme_john.ovpn


=======================================
:0)
=======================================