freebsd下的openvpn网桥模式
freebsd下的openvpn网桥模式
OpenVPN is probably the most popular semi-non-standard cross-platform VPN solution, with a large number of users and a pure userland implementation. It's pretty easy to set up, but I often forget certain steps so here's a tutorial for me to rememeber in the future :)
Keywords: FreeBSD, OpenVPN, networking
I call OpenVPN semi-non-standard because it uses its own protocol instead of L2TP, IPSec or something other blessed by a RFC. OpenVPN takes care to be secure and offers some flexibility in how it's used - either in a network-bridge mode (L2) or a routed mode (L3). For more details, I'll direct you to the project's documentation, but for now, here's how to set it up on FreeBSD in a few easy steps:
#1 - install it.
It's in /usr/ports/security/openvpn. The default configuration is reasonable.
#2 - create a SSL CA
That is, if you don't already have one. Then create a certificate for your server and one for each of your client machines. OpenVPN uses SSL certificates to mutually authenticate clients and servers.
#3 - create a rc.d symlink
This step is necessary both on the server and on the client. Go to /usr/local/etc/rc.d and do:
ln -s openvpn openvpn_mynet
The "mynet" is the name you give to your VPN.
#4 - enable it in /etc/rc.conf
This symlink will be used by the /etc/rc system to start the openvpn client (or server), so you need to enable it by adding a line like this in /etc/rc.conf:
openvpn_mynet_enable="YES"
#5 - create the server config file
Create a file named openvpn_mynet.conf in the /usr/local/etc/openvpn directory, containing lines such as these:
port 1194
proto udp
dev tap0
ca mycacert.pem
cert server.crt.pem
key server.key.pem
dh dh1024.pem
server-bridge 192.168.1.1 255.255.255.0 192.168.1.250 192.168.1.254
comp-lzo
ifconfig 192.168.1.249 255.255.255.0
You need to copy the SSL certificates and the key to this directory, and also create the dh1024.pem file with a command such as
openssl dhparam -out dh1024.pem 1024
Note the following system-specific information:
We use "dev tap0". This is because in my setup, I have the following in my /etc/rc.conf:
cloned_interfaces="tap0 tap1 bridge0"
ifconfig_tap0="inet 192.168.1.249/24"
ifconfig_bridge0="addm tap0 addm tap1 addm em0 up"
I'm creating two tap devices (I actually have two OpenVPN networks on this machine), and bridging them all with em0. The ifconfig_tap0 line isn't actually necessary since the config line "ifconfig 192.168.1.249 255.255.255.0" will set the IP address on the tap interface being configured. You can also use just "dev tap" instead of "dev tap0" and the tap interface will be auto-created by openvpn, but then you need to bridge it manually.
Alternatively, you can use "dev tun" to create a L3 tunnel, which doesn't need bridging, but needs IP routing.
Our private network range is 192.168.1.250 - 192.168.1.254
Our gateway interface is 192.168.1.1
#6 - Create the client config file
Create a file named exactly the same (openvpn_mynet.conf) at the client, and add lines such as the following to it:
client
dev tap
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
ca mycacert.pem
cert client.crt
key client.key.pem
comp-lzo
This is enough for a Windows client, which will do the right thing and create an interface which receives its address from the server (you just need to make sure the certificates and the private key are also copied - the OpenVPN Windows GUI gets confused if they are not). You could also add a line such as the following to have the client assign a static address:
ifconfig 192.168.1.150 255.255.255.0
You can start both the server and the client with the same command:
service openvpn_mynet start
(because the config file will determine if the machine is a client or a server), and that should be all.
Enjoy!