freebsd下的openvpn网桥模式

freebsd下的openvpn网桥模式

OpenVPN is probably the most popular semi-non-standard cross-platform VPN solution, with a large number of users and a pure userland implementation. It's pretty easy to set up, but I often forget certain steps so here's a tutorial for me to rememeber in the future :)

Keywords: FreeBSD, OpenVPN, networking

I call OpenVPN semi-non-standard because it uses its own protocol instead of L2TP, IPSec or something other blessed by a RFC. OpenVPN takes care to be secure and offers some flexibility in how it's used - either in a network-bridge mode (L2) or a routed mode (L3). For more details, I'll direct you to the project's documentation, but for now, here's how to set it up on FreeBSD in a few easy steps:

#1 - install it.

It's in /usr/ports/security/openvpn. The default configuration is reasonable.

#2 - create a SSL CA

That is, if you don't already have one. Then create a certificate for your server and one for each of your client machines. OpenVPN uses SSL certificates to mutually authenticate clients and servers.

#3 - create a rc.d symlink

This step is necessary both on the server and on the client. Go to /usr/local/etc/rc.d and do:

ln -s openvpn openvpn_mynet

The "mynet" is the name you give to your VPN.

#4 - enable it in /etc/rc.conf

This symlink will be used by the /etc/rc system to start the openvpn client (or server), so you need to enable it by adding a line like this in /etc/rc.conf:

openvpn_mynet_enable="YES"

#5 - create the server config file

Create a file named openvpn_mynet.conf in the /usr/local/etc/openvpn directory, containing lines such as these:

port 1194

proto udp

dev tap0

ca mycacert.pem

cert server.crt.pem

key server.key.pem

dh dh1024.pem

server-bridge 192.168.1.1 255.255.255.0 192.168.1.250 192.168.1.254

comp-lzo

ifconfig 192.168.1.249 255.255.255.0

You need to copy the SSL certificates and the key to this directory, and also create the dh1024.pem file with a command such as

openssl dhparam -out dh1024.pem 1024

Note the following system-specific information:

We use "dev tap0". This is because in my setup, I have the following in my /etc/rc.conf:

cloned_interfaces="tap0 tap1 bridge0"

ifconfig_tap0="inet 192.168.1.249/24"

ifconfig_bridge0="addm tap0 addm tap1 addm em0 up"

I'm creating two tap devices (I actually have two OpenVPN networks on this machine), and bridging them all with em0. The ifconfig_tap0 line isn't actually necessary since the config line "ifconfig 192.168.1.249 255.255.255.0" will set the IP address on the tap interface being configured. You can also use just "dev tap" instead of "dev tap0" and the tap interface will be auto-created by openvpn, but then you need to bridge it manually.

Alternatively, you can use "dev tun" to create a L3 tunnel, which doesn't need bridging, but needs IP routing.

Our private network range is 192.168.1.250 - 192.168.1.254

Our gateway interface is 192.168.1.1

#6 - Create the client config file

Create a file named exactly the same (openvpn_mynet.conf) at the client, and add lines such as the following to it:

client

dev tap

proto udp

resolv-retry infinite

nobind

persist-key

persist-tun

ca mycacert.pem

cert client.crt

key client.key.pem

comp-lzo

This is enough for a Windows client, which will do the right thing and create an interface which receives its address from the server (you just need to make sure the certificates and the private key are also copied - the OpenVPN Windows GUI gets confused if they are not). You could also add a line such as the following to have the client assign a static address:

ifconfig 192.168.1.150 255.255.255.0

You can start both the server and the client with the same command:

service openvpn_mynet start

(because the config file will determine if the machine is a client or a server), and that should be all.

Enjoy!