This How-To explains how to set up a Privateinternetaccess (PIA) client on FreeBSD using OpenVPN. This setup focuses on having PIA OpenVPN run from startup of your machine.
PREREQUISITES
I assume the following
1. you have a running FreeBSD system
2a. you have ports installed or
2b. you have the package tools installed
3. you are willing and able to use a Terminal to issue some basic commands as root (or sudo if you have it installed)
If you need more information on using the ports or pkg(8) command to install applications – see the FreeBSD handbook (chapter 4) here https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ports.html
OVERALL STEPS
1. install the security/openvpn package
2. download the PIA certificates and basic configuration files
3. configure /etc/rc.conf to load OpenVPN at startup
4. create the PIA user authentication file
5. configure the OpenVPN config file
6. test the setup
7. miscellaneous comments
References for the OpenVPN setup info
- https://openvpn.net website
- and the PIA Linux setup files at https://www.privateinternetaccess.com/pages/client-support/
- and http://www.freebsddiary.org/openvpn.php
- FreeBSD handbook (for installation, ports and package tools)
For the PIA SETUP YOU NEED THE FOLLOWING:
- a valid PIA username and password (apply online at privateinternetaccess.com)
- security/openvpn installed package or port installed on FreeBSD
- the PIA ca.crt and crl.pem certificates; the other set up parameters will be discussed below
1. TO INSTALL OPENVPN, go to the Terminal as root and issue the command as below answer Yes to all the prompts. I prefer to use the pkg installation method for ease; use whichever suits you best. The OpenVPN port can be found under /usr/ports/security/openvpn
2. TO GET THE PIA ca.crt and crl.pem CERTIFICATES from the PIA site- download the zip file, which also contains actual server specific configuration files which we will use later to customize the configuration. Using the command line download into a designated directory.
2.1 Create a directory where you wish to download the zip files using
2.2. Unzip the contents of the downloaded folder and find the ca.crt and crl.pem files
2.3. Copy the ca.crt and crl.pem files to the PIA directory that will contain the config files, at say /usr/local/etc/pia_openvpn. As long as you know where the files are so you can point your config parameters to the location.
3. CONFIGURE /etc/rc.conf
To load OpenVPN at start up you need to edit /etc/rc.conf I am using the text editor ee(1) (as it comes installed with FreeBSD or you can use vi(1) or another editor of your choice like editors/nano – just install nano via
Add this to /etc/rc.conf – note that comments in the config text files are indicated by #, just make sure the syntax is correct.
4. CREATE PIA USER AUTHENTICATION PASSWORD FILE
Create a password_pia file in /usr/local/etc/pia_openvpn from Terminal
You can also just open CMD]ee[/CMD] and CMD]nano[/CMD] to create the file and save it in the directory, without
Enter your your PIA user name and password into the password text file created above. Put the entries on separate lines in the file, like so
Make sure there is nothing else in the password file
Use the command below to make it readable by root only – for security reasons
5. CONFIGURE THE OPENVPN CONFIG FILE
Copy one of the sample config files from where you downloaded them - #/usr/local/etc/openvpn, I will use the US EAST.ovpn file as included in the downloaded zip file from PIA. You can use anyone of them as they contain the same set up parameters. They only differ in the server name. In the command below I copy the file and rename it.
Now to set up the pia_vpn.conf file... we are almost there!
Using the /usr/local/etc//pia_openvpn/pia_vpn.conf file which was copied from US East.ovpn file. It looks like like this before amendments
NOW TO CUSTOMIZE pia_vpn.conf file under /usr/local/etc/pia_openvpn/
The customisation is as below; I've added #comments to explain it a bit
6. TO TEST THE SETUP
You can start and test the PIA client connection via terminal as sudo or as root
The output should resemble something like this:
7. MISCELLANEOUS NOTES
I tested the set up on a:
-FreeBSD VM – it didn't boot into the VPN connection directly but only when I issued the command under TEST THE SETUP. I suspect its the way I connect to my network via the bridge adapter on Virtualbox. If anyone can shed light on this I would appreciate it?
-PC-BSD loaded laptop booting straight from disk. It connects to the VPN straight away. You will see the
interface and IP address it connects to once you issue the command below
-Linux Mint (on Linux you will have to consult the distro help files / forums to find out where you must store the OpenVPN config files. It seems to vary between distros(?)).
I think the Openvpn basic set up to connect to PIA as a client will also work with other VPN providers as long as you get the user name, password, protocols, compression, and other security settings. You can just amend the config files for OpenVPN under /usr/local/etc/pia_openvpn/pia_vpn.conf
Hope this helps
Edits Jan 11,2016
PREREQUISITES
I assume the following
1. you have a running FreeBSD system
2a. you have ports installed or
2b. you have the package tools installed
3. you are willing and able to use a Terminal to issue some basic commands as root (or sudo if you have it installed)
If you need more information on using the ports or pkg(8) command to install applications – see the FreeBSD handbook (chapter 4) here https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ports.html
OVERALL STEPS
1. install the security/openvpn package
2. download the PIA certificates and basic configuration files
3. configure /etc/rc.conf to load OpenVPN at startup
4. create the PIA user authentication file
5. configure the OpenVPN config file
6. test the setup
7. miscellaneous comments
References for the OpenVPN setup info
- https://openvpn.net website
- and the PIA Linux setup files at https://www.privateinternetaccess.com/pages/client-support/
- and http://www.freebsddiary.org/openvpn.php
- FreeBSD handbook (for installation, ports and package tools)
For the PIA SETUP YOU NEED THE FOLLOWING:
- a valid PIA username and password (apply online at privateinternetaccess.com)
- security/openvpn installed package or port installed on FreeBSD
- the PIA ca.crt and crl.pem certificates; the other set up parameters will be discussed below
1. TO INSTALL OPENVPN, go to the Terminal as root and issue the command as below answer Yes to all the prompts. I prefer to use the pkg installation method for ease; use whichever suits you best. The OpenVPN port can be found under /usr/ports/security/openvpn
# pkg install openvpn
2. TO GET THE PIA ca.crt and crl.pem CERTIFICATES from the PIA site- download the zip file, which also contains actual server specific configuration files which we will use later to customize the configuration. Using the command line download into a designated directory.
2.1 Create a directory where you wish to download the zip files using
# mkdir -p /usr/local/etc/openvpn
2.2. Unzip the contents of the downloaded folder and find the ca.crt and crl.pem files
# cd /usr/local/etc/openvpn
# fetch --no-verify-peer https://www.privateinternetaccess.com/openvpn/openvpn.zip
# tar -xvf openvpn.zip
2.3. Copy the ca.crt and crl.pem files to the PIA directory that will contain the config files, at say /usr/local/etc/pia_openvpn. As long as you know where the files are so you can point your config parameters to the location.
# mkdir -p /usr/local/etc/pia_openvpn
# cp ca.crt crl.pem /usr/local/etc/pia_openvpn/
3. CONFIGURE /etc/rc.conf
To load OpenVPN at start up you need to edit /etc/rc.conf I am using the text editor ee(1) (as it comes installed with FreeBSD or you can use vi(1) or another editor of your choice like editors/nano – just install nano via
pkg install nano
On ee press escape to get to menus to save and exit) # ee /etc/rc.conf
Add this to /etc/rc.conf – note that comments in the config text files are indicated by #, just make sure the syntax is correct.
Code:
# To enable openvpn from start up with tun activated
openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/usr/local/etc/pia_openvpn/pia_vpn.conf"
#this last line specifies where you will set up the openvpn config file as indicated below so that openvpn can find it when it executes
4. CREATE PIA USER AUTHENTICATION PASSWORD FILE
Create a password_pia file in /usr/local/etc/pia_openvpn from Terminal
# touch /usr/local/etc/pia_openvpn/password_pia.txt
You can also just open CMD]ee[/CMD] and CMD]nano[/CMD] to create the file and save it in the directory, without
touch
Enter your your PIA user name and password into the password text file created above. Put the entries on separate lines in the file, like so
Code:
username
password
Make sure there is nothing else in the password file
Use the command below to make it readable by root only – for security reasons
# chmod 600 /usr/local/etc/pia_openvpn/password_pia.txt
5. CONFIGURE THE OPENVPN CONFIG FILE
Copy one of the sample config files from where you downloaded them - #/usr/local/etc/openvpn, I will use the US EAST.ovpn file as included in the downloaded zip file from PIA. You can use anyone of them as they contain the same set up parameters. They only differ in the server name. In the command below I copy the file and rename it.
# cp /usr/local/etc/openvpn/“US East.ovpn” /usr/local/etc/pia_openvpn/pia_vpn.conf
Now to set up the pia_vpn.conf file... we are almost there!
Using the /usr/local/etc//pia_openvpn/pia_vpn.conf file which was copied from US East.ovpn file. It looks like like this before amendments
Code:
client
dev tun
proto udp
remote us-east.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-client
remote-cert-tls server
auth-user-pass
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.pem
NOW TO CUSTOMIZE pia_vpn.conf file under /usr/local/etc/pia_openvpn/
# ee /usr/local/etc/pia_openvpn/pia_vpn.conf
The customisation is as below; I've added #comments to explain it a bit
Code:
#your PIA clientconfig file under /usr/local/etc/pia_openvpn/pia_vpn.conf
client
dev tun
#make sure the correct protocol is used
proto udp
# use the vpn server of your choice; rather put the name of the server in then the IP address;
# the ip addresses change frequently
remote us-east.privateinternetaccess.com 1194
# you can add other servers here and comment them out in case you want to change servers later
# you can do this as your username and password stays the same
# But only use one server at a time, you must comment out the one above before activating the ones below
#remote aus.privateinternetaccess.com 1194
#remote us-west.privateinternetaccess.com 1194
#remote russia.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
# copy the ca.crt files to wherever you wish to store them in /usr/local/etc/pia_openvpn
# but you must specify where to find the file example:
ca /usr/local/etc/pia_openvpn/ca.crt
crl-verify /usr/local/etc/pia_openvpn/crl.pem
tls-client
remote-cert-tls server
#indicate where you have stored the password file if you want to log in from boot example:
auth-user-pass /usr/local/etc/pia_openvpn/password_pia.txt
# and make it only readable by root with: chmod 600 filename
#this suppresses the caching of the password and user name
auth-nocache
comp-lzo
verb 1
reneg-sec 0
6. TO TEST THE SETUP
You can start and test the PIA client connection via terminal as sudo or as root
# openvpn --config /usr/local/etc/pia_openvpn/pia_vpn.conf
The output should resemble something like this:
Code:
Sun Dec 27 09:06:07 2015 OpenVPN 2.3.9 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Dec 22 2015
Sun Dec 27 09:06:07 2015 library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
Sun Dec 27 09:06:08 2015 UDPv4 link local: [undef]
Sun Dec 27 09:06:08 2015 UDPv4 link remote: [AF_INET]66.55.134.213:1194
Sun Dec 27 09:06:09 2015 [Private Internet Access] Peer Connection Initiated with [AF_INET]66.55.134.213:1194
Sun Dec 27 09:06:12 2015 TUN/TAP device /dev/tun0 opened
Sun Dec 27 09:06:12 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Dec 27 09:06:12 2015 /sbin/ifconfig tun0 10.194.1.6 10.194.1.5 mtu 1500 netmask 255.255.255.255 up
add net 66.55.134.213: gateway 192.168.50.1
add net 0.0.0.0: gateway 10.194.1.5
add net 128.0.0.0: gateway 10.194.1.5
add net 10.194.1.1: gateway 10.194.1.5
Sun Dec 27 09:06:12 2015 Initialization Sequence Completed
7. MISCELLANEOUS NOTES
I tested the set up on a:
-FreeBSD VM – it didn't boot into the VPN connection directly but only when I issued the command under TEST THE SETUP. I suspect its the way I connect to my network via the bridge adapter on Virtualbox. If anyone can shed light on this I would appreciate it?
-PC-BSD loaded laptop booting straight from disk. It connects to the VPN straight away. You will see the
Code:
tun0
# ifconfig
-Linux Mint (on Linux you will have to consult the distro help files / forums to find out where you must store the OpenVPN config files. It seems to vary between distros(?)).
I think the Openvpn basic set up to connect to PIA as a client will also work with other VPN providers as long as you get the user name, password, protocols, compression, and other security settings. You can just amend the config files for OpenVPN under /usr/local/etc/pia_openvpn/pia_vpn.conf
Hope this helps
Edits Jan 11,2016
- Removed - 2.1. Ensure you have wget installed, run as root
# pkg install wget
- Changed numbering under section 2
- Replaced
wget
instructions to get the openvpn.zip file withfetch
command - Amended previous location of file from "Copy the ca.crt and crl.pem files to /etc or a directory say under /etc/pia_openvpn." to /usr/local/etc/pia_openvpn
- Made changes to the file locations under section 2 to simplify for new user where to copy and set up files to
- Removed and simplified some aspects of section 5
Last edited by a moderator: