Solved [SOLVED] OpenVPN How To Request

For those of you have been following my posts.....I am a consultant moving his workstation and his clients over to FreeBSD from Linux. Primarily because Linux updates (my old os) keeps breaking things.....as it did today.

The community has been very kind and gracious helping me port my machine over, and I have FreeBSD on an extra drive. That is about to change. Today, Arch Linux broke my connectivity to my clients for the last time. I am going to re-install FreeBSD to my primary drive (instead of having it on an extra drive) and overwrite Linux. I have two mirror backups in perfect order. And using XFS so I can mount them in FreeBSD.

So far, I have been unable to get OpenVPN running on FreeBSD. I see posts throughout, and wiki articles...but most of those articles are 4+ years old and I think this is why following those procedures hasn't worked.

Or if FreeBSD has something equal to or better, that will allow me to connect to my OpenVPN client.....Please point me to it!

In my own browsing I don't seem to find a nice concise procedure for setting up OpenVPN (as a client) on FreeBSD 10.0. I need OpenVPN (or a functional alternative)to connect to my clients. I am connecting to Linux on the other end (also soon to be changed out to FreeBSD)

I am going to be down for a few hours as I conduct the port over of my primary drive.

I am asking for a pointer to a FreeBSD/OpenVPN how-to...so when I come back up...I can get squared away so that tomorrow I can get back to work.

I have done several installs of FreeBSD and am totally comfortable with the install process. I have also built custom kernels for FreeBSD without incident......But I am not a networking guy...I have others come in and setup/test security on servers that I set..... I have all the keys and such on backup here on my workstation....

I can setup OpenVPN on Linux without issue. But in reading some wiki articles it appears that it's a tad differernt on FreeBSD...and thus this slightly panicked post because I need to be back up it at all possible tomorrow.

I am asking for pointers to current articles so I can follow thoese procedures and get "magic".


Thank you for assistance,


Sincerely and respectfully,

Dave
 
Re: OpenVPN How To Request

Well, I think with some poking around you'll find an OpenVPN howto even here on forums. OpenVPN is a great choice, I'd stick to it unless you have a specific client who can't use it (e.g. this was true for iPhone/iOS some time ago).
Once you have OpenVPN installed do have a look at /usr/local/share/examples/openvpn/sample-config-files directory, many good examples can be found there; either server or client side.

I'd be little cautious with FreeBSD 10 though. I had to rollback to 9.2 due a (possible) PF bug I hit. You can find more posts here in Networking/Firewalls from people mentioning the similar problem.
Also some port issues occurred with libiconv. Nothing too serious, but maybe worth waiting on older release for now.
 
Re: OpenVPN How To Request

I had tried several times to get it fixed yesterday...I wonder if I was hitting the same bug and just didn't realize it......

If I have to, I'll put Win-7 in a VIrtualBox VM, and talk to my clients that way if I have to.....

Thank you for the reply!


Sincerely and respectfully,


Dave
 
Re: OpenVPN How To Request

Do I get it correctly that first you want to move your Linux client to a FreeBSD and later to move your server to FreeBSD too ? Client-server regarding to OpenVPN. If we are talking about OpenVPN client, setup is pretty much the same on every platform (Windows/Linux/FreeBSD) with a very small deviation in configuration.

What issue did you occur ? As you didn't share the OpenVPN server information I can't help you more with the config though.
 
Re: OpenVPN How To Request

matoatlantis said:
... e.g. this was true for iPhone/iOS some time ago ...

OpenVPN is available for iOS. However, Android is more prone to DNS leaks unless you root your device - iOS you don't need to jailbreak to set DNS servers. But, like Android with Google, iOS does beacon to Apple servers.

Just wanted to address that point since it was mentioned. Now back to the regularly scheduled program.
 
Re: OpenVPN How To Request

tzoi516 said:
matoatlantis said:
... e.g. this was true for iPhone/iOS some time ago ...

OpenVPN is available for iOS. However, Android is more prone to DNS leaks unless you root your device - iOS you don't need to jailbreak to set DNS servers. But, like Android with Google, iOS does beacon to Apple servers.
True, that's why I said 'some time ago'. Not that far though, I remember two-three years ago I had to use pptp to connect with my phone.
Nowadays you have app for it.
 
Re: OpenVPN How To Request

I'm using the same basic configuration on both Linux and FreeBSD. It does get a bit complicated if you are trying to run OpenVPN in a jail but otherwise what works on one should work on the other. What exactly isn't working?
 
Re: OpenVPN How To Request

Hello matoatlantis,

Thank you for responding.

Let me provide some details....

My clients are on CentOS....I admin them through an OpenVPN connection, except for updates when I make the ~100 mile to my clients place of business. CentOS in the last year or so leading up to their acquisition by RedHat has been breaking things when it does it's own updates. I'm getting pretty tired of it. Well not entirely true,.....It's frustrating me.

I was on Arch Linux until Sunday (23-FEB-2014), when Arch did a normal and routine update, and promptly broke the accounting software's client app that is tantamount to my client's business. Arch has been good to me....but in my old engineers view, Linux has become less stable. It seems that about every distro is beginning to have stability issues. I really do not want to start a finger point of this distro over that distro... I've tried several since I've been with Linux since 2004, and being a techie of sorts, I liked the tinkering involved with Arch. But now, Linux as a technology is costing me unrecoverable dollars when it updates and breaks things for my clients. Updates that work in my test VM's, but have issues once I push them out to real hardware.

So Sunday I overwrote my Linux install with FreeBSD. I had FreeBSD running on a spare secondary drive so I could acclimate to the new paradigm for about 4 weeks now. But with my Linux install basically hamstrung...leaving me unable to work....I chose to cut my losses and go with something that is engineered and designed to work together...I like what I have experienced with FreeBSDS on that secondary drive for the last few weeks. There is a learning curve for sure, but it's really not that difficult. So FreeBSD went on my primary boot drive Sunday over my Arch installation. My primary drive (ada0) is a 1TB Samsung 840EVO SSD. And I followed wblocks excellent "HowTo" @. http://www.wonkity.com/~wblock/docs/html/ssd.html

So now I am on FreeBSD mainstream and I need to re-establish OpenVPN connectivity to my clients (CentOS) from my workstation (FreeBSD 10.0). I have a good backup so moving the keys and certs from Linux were easy.

In time you are correct, I will be moving my clients to FreeBSD on a scheduled and planned basis. My port over this weekend was a response out of frustration. I had been put in a corner by Arch.......for the last time. Burn a bunch of time reverting stuff in Arch, or spend that same labor time in moving to a more stable, engineered platform. I chose the latter.

The OpenVPN config I did in Linux, and the OpenVPN config I did in FreeBSD didn't match up at all. So I posted here in the forums requesting a pointer to a nice procedure or HowTo for setting up OpenVPN in a FreeBSD environment.

When I set it up in Arch Linux (a well documented distro)...they had a concise step by step HowTo that I followed. Everything went perfectly. So I am basically asking for the same kind of procedure for FreeBSD.

BTW: I do not want my desktop to be a OpenVPN server. I just need the client piece functional......

I Hope this helps explain things a little better!


Thank you for responding to my post.


Sincerely and respectfully,

Dave
 
Re: OpenVPN How To Request

Hello Junovitch,

May I ask, are you on FreeBSD 10.0 like I am (x64)? Or a different release?

The only change that I was aware of is since instantiating OpenVPN onmy Linux box, OpenVPN's software has been updated what appears to be several times.

Now in response to your mentioning that things are identical...... Let me review and see if I can sort out the differences by using some documentation off of the OpenVPN website itself. That is something I hadn't done yet....I was hoping for a pointer to a nice concise document here on FreeBSD.

So let me make another attempt at it since I had to reinstall my OS anyway.......and then post the results and see if I have different results this time.....

Question:

Are you loading any special kernel modules in /boot/loader.conf?

Did you add something to the /etc/rc.conf? If so, can you share it with me?......In Arch I was using SystemD (which I never liked anyway).....and perhaps I didn't have the proper stuff (or enough stuff) in my /etc/rc.conf file....


Thank you for posting,

Sincerely and respectfully,

Dave
 
Re: OpenVPN How To Request

Hello, I am on 10.0 now but I'll caveat this with I haven't fixed my OpenVPN server because of changes with jails in 10. I'll try to answer your questions


dcbdbis said:
Now in response to your mentioning that things are identical...... Let me review and see if I can sort out the differences by using some documentation off of the OpenVPN wensite itself. That is something I hadn't done yet....I was hoping for a pointer to a nice concise document here on FreeBSD.
The biggest difference I can think off would probably be locations. On Linux your locations are in /etc vice /usr/local/etc on FreeBSD. Additionally, the OpenVPN in ports might be newer than what you have used on Linux (probably not for Arch, but maybe for CentOS). That could result in some minor differences.

dcbdbis said:
Are you loading any special kernel modules in "/boot/loader.conf"?
No, tun and tap drivers are part of the GENERIC kernel. You shouldn't have to worry about this unless you are doing custom kernels or not allowing modules to load for security reasons (see securelevel() man page).

dcbdbis said:
Did you add something to the "/etc/rc.conf"? If so, can you share it with me?......In Arch I was using SystemD (which I never liked anyway).....and perhaps I didn't have the proper stuff (or enough stuff) in my "/etc/rc.conf" file....

Yes, you'll need to enable the service in your rc.conf.

Here is a quick and dirty version of what I can see applying.
pkg install openvpn

Copy configuration file and keys from wherever they are kept. Either edit manually to fix paths or do something like this.
sed -i '' -e 's/ \/etc/ \/usr\/local\/etc/' /usr/local/etc/myopenvpn.conf

Enable it in /etc/rc.confand tell it where your config file is:
sysrc openvpn_enable=YES
sysrc openvpn_config=/usr/local/etc/myopenvpn.conf

Start it:
service openvpn start
 
Re: OpenVPN How To Request

BINGO!

I didn't have the second line in the /etc/rc.conf. So I was missing something!

The other file locations I had found, and did put the configuration options in them from my linux config.....But I didn't have the line where I needed to specify the config file in the /etc/rc.conf.


So let me retry after my current restoration from ext2 to ufs2 completes. And I am moving ~5tb of data.....so it may be tomorrow before I can try and respond. I don't want to start dorking around with my config while a mission critical restore is underway. I understand it can be done, but seeing I am junior with FreeBSD, I worry about fat-fingering something and really screwing myself over!


Thank you for your post,


Sincerely and respectfully,

Dave
 
Re: OpenVPN How To Request

Awesome. Sometimes the quick way is just to look at the rc script. Looking at /usr/local/etc/rc.d/openvpn, you'll see that the default config file is the name of the rc script. So the default openvpn config file is /usr/local/etc/openvpn/openvpn.conf. Otherwise you'd have to specify the name.
 
Re: OpenVPN How To Request

Hello Junovitch,

Is there some way to not start OpenVPN at bootup?

I don't want it to automatically connect everytime I boot up. I only need it when I'm online with a client.

In Arch, I issued this command: sudo openvpn /etc/openvpn/client.conf at the cli.

Then once I was done, I would just <CTRL>+c out of it to terminate. Do you know if this mechanism can be done in FreeBSD?


Thank you.


Sincerely and respectfully,

Dave
 
Re: OpenVPN How To Request

Remove or set sysrc openvpn_enable=NO. Then just start it as needed with service openvpn onestart as root or prefixed with sudo if you've installed it. The same way you did it on Arch should work as well as long as you run it as root or via sudo.
 
Re: OpenVPN How To Request

COOL!

I still have a couple of TB's to go in the restoration process.....And I was up far too late last night moving the other ext4 data onto ufs, so I will go to bed by midnight tonight so I don't make stupid tired mistakes which I tend to do..

I'll leave the post open until tomorrow. I'll then report back in with my results.

Thank You!


Sincerely and respectfully,


Dave
 
Re: OpenVPN How To Request

Great you have it up and running.

I did mention this once on this forums, not sure where exactly. Back in ~2009 I was migrating my last Linux server from Slackware to FreeBSD. I was copying data from reiserfs to UFS. It was something less then 1TB of data. I left the copy running and went to bed. In the morning everything looked fine. First glance at new target data showed no problem (same src/target size). I thought: "o'right, good.". And I didn't do any actual check on it. Later (yes, too late it was) I found out that the data copied where just some blobs, no actual data. I lost it all. For some strange reason FreeBSD was not reading that FS correctly. Directory hierarchy was fine, just the data in it was messed up.

Since then I'm always doing chksum on src and target when data is being moved. Consider this story as FYI. :)
 
Re: OpenVPN How To Request

OK, here is the procedure I followed: http://blog.up-link.ro/how-to-install-openvpn-in-freebsd/

It appears that OpenVpn is not installing the sample files in the locations shown. I have the keys and crt files already on backup...so I can just plug them in.

The client.conf was modified to point to the new location for the dh crt and key locations. Issuing a sudo service openvpn onestart threw no errors, but neither did it leave behind any logs. The usual "chatter" that I would see in Linux didn't appear at all. And in the end, when I opened PGAdmin3 I could not connect to the remote postgresql server of 10.8.0.1.

I am on FreeBSD 10.0 x64. I installed OpenVPN by sudo pkg install openvpn. After doing dome searching. It appears the sample files didn;t come down with it, when I looked at the verbiage that pkg install leaves on the screen after installing OpenVPN. The sample files didn't exist. whereis can't find them, and neither can whereis fine the easy-rsa folder. I had to locate it by find /usr -name easy-rsa. The locations of these things on my system, don't seem to follow the examples and HowTo's I found on the web.

So once again I am stumped and am not sure where to turn to for a good step by step on FreeBSD 10.0.

Thank you for your posts.....Hopefully working together we can get to the bottom of this.


Sincerely and respectfully,

Dave
 
Re: OpenVPN How To Request

Check out the output of pkg info -l openvpn. You'll see it lists all files installed by the package including sample files. Also, the bits for security/easy-rsa were put in a separate port last year so you'll have to do pkg install easy-rsa to get them. If you already have them you might not need that.

sudo service openvpn onestart is starting in the background as a daemon/service, which is why you don't see the full output. Try doing it the way you used to on Linux as sudo openvpn /path/to/config.conf to see the output to the screen.
 
Re: OpenVPN How To Request

Update:

I got frustrated not being able to find the sample config files and such.

So I sudo pkg install openvpn-admin from http://www.freebsd.org/cgi/ports.cgi?query=openvpn&stype=all.

This allowed me to plugin the various files I had in backup, regardless of where it's put now on FreeBSD 10.0.

Once I plugged everything in, the software is now complaining in it's output window....that the remote is using the tun adapter and my system uses the tap adapter.

But it carries on and doesn't actually throwup until these lines:
Tue Feb 25 16:30:40 2014 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Tue Feb 25 16:30:40 2014 OpenVPN ROUTE: failed to parse/resolve route for host/network: 10.8.0.1


My issue is that I don't see where to plug this into the GUI...... So I'll keep working with it for a while.

The openvpn-admin tool is configured for tun, but earlier in the chatter openvpn produces....it's complaining about having a TUN adapter on the remote side and a tap adapter on my end.

While this is only a warning.....could this be affecting when it's throwing up later downstream?

Thank you for your help,


Sincerely and respectfully,

Dave
 
Re: OpenVPN How To Request

ONLINE!

The Fix Was:

a) Changing the paths in my client.conf to reflect /usr/home/dcbdbis/openvpn/client.conf from the old linux version of /etc/openvpn/client.conf

b) Getting rid of all openvpn entries in the /etc/rc.conf file.

c) Don't over-think it. I ASSumed that it would be different in FreeBSD. I was wrong.....If I would have just left everything alone after plugging my crt and key files, left the rc.conf alone. I would have been just fine. Calling it like I did in linux works just perfectly.......

Result = Beauty!

I have bash scripts for my various clients.....So I'll just tweak them for the different paths and I will be good to go!

I now have re-established a VPN connection to my clients. Now I am going to tweak the GUI management package so I can get online with it....to make it easier and more convenient to manage multiple OpenVPN connections.

But the heat is off...I can return to work tomorrow.....


I want to express sincerest thanks to all who responded. I really do appreciate it.....


Sincerely and respectfully,


Dave
 
Excellent. Sorry if I lead you astray regarding running OpenVPN as a service. I made an assumption just like you did. Keeping it simple usually works and as you found doing things the same way you already knew works out.

Oh and I know you already mentioned migrating all your data from ext2 to UFS, but do give ZFS a look. You get a lot of flexibility when it comes to managing a large pool of data with ZFS that you just can't get as easily elsewhere.
 
Back
Top