uNdEr cOnStRuCtIoN
# pkg_add openvpn easy-rsa
# mkdir /etc/openvpn
# cp /usr/local/share/easy-rsa /etc/openvpn/easy-rsa
# cd /etc/openvpn/easy-rsa
# cp vars.example vars
# vi vars
What to tune:
At first set EASYRSA to a defined path like
set_var EASYRSA "/etc/openvpn/easy-rsa"
or you will earn some errors. Then edit the EASYRSA_REQ_* section and add your values.
Check the other stuff, tune it if you want.
Theres btw no need to change the openssl-easyrsa.cnf and there’s no need (like in earlier centuries) to source the vars file.
Tune the /etc/pf.conf:
match tag BLOCK
match out tag PASSmatch in on $ext_if proto { udp tcp } from any to $ext_if:0 port { 1194 } tag PASS
match in on $tun_if proto { tcp udp } from $NET_OVPN_0 to any tag PASS
match in on $tun_if proto icmp from $NET_OVPN_0 to any tag PASS
block log all tagged BLOCK
pass tagged PASS
NET_OVPN_0 ist the remote ip range you did define for your clients. (here 10.0.111.0/24)
Additionally you can insert some restrictions.
Create an /etc/openvpn/server.conf:
port 1194
proto udp
dev tun0
ca ca.crt
cert VPNGATE22.crt
key VPNGATE22.key # This file should be kept secret
dh dh.pem
server 10.0.111.0 255.255.255.0
ifconfig-pool-persist /tmp/ipp.txt
push "route 192.168.0.0 255.255.0.0"
push "dhcp-option DNS 192.168.100.2"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn.log
verb 1
management localhost 7505
status /var/log/openvpn.status.log 5
status-version 2
crl-verify /etc/openvpn/crl.pem
Create an /etc/sysctl.conf:
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets
Create an /etc/rc.local:
/usr/local/sbin/openvpn --cd /etc/openvpn --daemon --script-security 2 --config /etc/openvpn/server.conf && echo "OpenVPN"
Do
# cd /etc/openvpn/easy-rsa
# ./easyrsa init-pki
# ./easyrsa build-ca
# ./easyrsa gen-crl
# ./easyrsa gen-dh
# ./easyrsa build-server-full YOUSERVERID nopass
# ./easyrsa build-client-full YOURCLIENT01
bytes and bones 