Solved OpenVPN conf File

[superking]

Hello - I am new here and haven't used FreeBSD in a long time. I've compiled OpenVPN and I'm trying to set it up. I'm using this guide right now to get started - https://www.c0ffee.net/blog/openvpn-guide

However, I can't seem to locate the file /usr/local/etc/openvpn/openvpn.conf - I've been looking everywhere but can't find it. Is this in another path, or is this something I need to manually create? I've checked on here and searched but can't seem to find the info. Thanks in advance!

 

[SirDice]

The file doesn't exist, you have to create it.

 

[superking]

ah ok thank you, sir!

 

[ShelLuser]

When in doubt about contents of a package you can always list its contents: pkg info -lx vpn, this would list the contents of all packages with 'vpn' in their name.

 

[superking]

I still can't start the thing tho...hmm. I made my config file as shown in the aforementioned tutorial. However it's seeming like there are two config files for server and client? I'm not sure where they are supposed to go - I see there are examples in the package. Think that's what my issue is? Also I checked in /var/log/ but I can't seem to find an error log for when I try to start the service.

 

[SirDice]

However it's seeming like there are two config files for server and client?

Yes, OpenVPN can run as a server, as a client, or even both at the same time. Which begs the question, which side are you trying to set up?

And please just copy and paste the text from PuTTY (or whatever you're using) instead of posting a picture.

 

[superking]

OK will do. I'm trying to run it as a server in this case. I have it running on a VPS and wanna be able to connect to it from remote pc's to use as VPN. I think my config file is in the wrong place maybe.

 

[SirDice]

The pictures show a list of example files. Using that information you need to create your own /usr/local/etc/openvpn/openvpn.conf. After that you first enable the service: sysrc openvpn_enable="YES" (or edit /etc/rc.conf), then start it: service openvpn start.

That's the simplest way to do it. The rc(8) script of OpenVPN is a bit complex to read because it also allows you to start OpenVPN using multiple, and different, profiles.

 

[superking]

I double checked and my config file is indeed at /usr/local/etc/openvpn/openvpn.conf I did have to create that openvpn folder though. I just had openvpn_enable="YES" I just added the sysrc in front of it. Now it gets a bit further before I see the error. So, I'm getting

> sudo service openvpn start
Starting openvpn.
/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn
>

I'm going to double check some spots and make sure I got the right hostname and things...

 

[SirDice]

I just had openvpn_enable="YES" I just added the sysrc in front of it.

No, don't do that. Your /etc/rc.conf should look like this:

openvpn_enable="YES"

You can either edit /etc/rc.conf directly, by hand, or use the command sysrc openvpn_enable="YES" to add it to rc.conf automatically. Do not put that sysrc(8) command in /etc/rc.conf.

 

[superking]

So yeah...turns out I messed up the hostname in a few places. OpenVPN is now running. So now I'm just trying to work on the NAT / PF section of the tutorial.

So here's the sample I'm using - I changed the points where it said

# change me

/etc/pf.conf
# the external network interface to the internet
# public-facing interface
ext_if="vtnet0"

# your public-facing IP address -  VPN traffic will NAT out of this address
ext_ip="203.0.113.42" # change me!

# vpn interface
vpn_if="tun0"
vpn_net = "10.8.0.0/24"

# port on which sshd is running
ssh_port = "55022"

# allowed inbound ports (services hosted by this machine)
inbound_tcp_services = "{auth, http, https, " $ssh_port ", openvpn }"
inbound_udp_services = "{dhcpv6-client, openvpn}"

# politely send TCP RST for blocked packets. The alternative is
# "set block-policy drop", which will cause clients to wait for a timeout
# before giving up.
set block-policy return

# log only on the external interface
set loginterface $ext_if

# skip all filtering on localhost
set skip on lo

# reassemble all fragmented packets before filtering them
scrub in on $ext_if all fragment reassemble

# route traffic from VPN interface out to the internet
nat on ! $vpn_if from $vpn_net to any -> $ext_ip

# block forged client IPs (such as private addresses from WAN interface)
antispoof for $ext_if

# default behavior: block all traffic
block all

# all traffic through VPN interface is assumed to be safe
pass quick on $vpn_if

# allow all icmp traffic (like ping)
pass quick on $ext_if proto icmp all
pass quick on $ext_if proto icmp6 all

# allow incoming traffic to services hosted by this machine
pass in quick on $ext_if proto tcp to port $inbound_tcp_services
pass in quick on $ext_if proto udp to port $inbound_udp_services

# allow all outgoing traffic
pass out quick on $ext_if

For some reason, even when I change the hostname and IP address where applicable, it kills SSH connectivity. Any ideas if something in here is causing it? Thanks again.

 

[SirDice]

Make sure to enable routing or else traffic will never be passed from one interface to another. Add to /etc/rc.conf:

gateway_enable="YES"

 

[superking]

Thanks, sir that did the trick!