this is obsolete doc -- see instead

Setting up a OpenVPN server and Windows clients 

on FreeBSD v9 



Install the openvpn package (PKGNG), 

pkg install openvpn


Setup defaults for certificates 

Setup some defautlts, 

cp -i /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.dist
vi /etc/ssl/openssl.cnf
dir             = /etc/ssl/CA
default_days    = 3650 # 10 years
default_bits  = 2048
countryName_default             = FR
stateOrProvinceName_default     = IDF
+localityName_default            = Paris
#0.organizationName_default     = Internet Widgits Pty Ltd


SSL certification authority 

Create your own CA, 

mkdir -p /etc/ssl/CA/
cd /etc/ssl/CA/
mkdir -p certs/
mkdir -p crls/
mkdir -p newcerts/
mkdir -p private/
touch index.txt
echo 01 > serial
echo 01 > crlnumber
openssl req -nodes -new -x509 -keyout private/cakey.pem -out cacert.pem
#-days 3650

Common Name (e.g. server FQDN or YOUR name) [] 

Email Address [] 

ls -l private/cakey.pem

note. not sure it's mandatory but I would recommend to use the real hostname of the CA server here (with PTR). 

and revocation, 

openssl ca -gencrl -out crls/crl.pem
chown root:nogroup crls/crl.pem
ls -l crls/crl.pem


SSL request 

Create a certificate request, 

cd /etc/ssl/CA/certs/

openssl req -nodes -new -keyout -out 

Common Name (e.g. server FQDN or YOUR name) []: 

(no extra attributes...)


Then sign the certificate request with your own CA, 

openssl ca -out -in -policy policy_anything
(check the expire date)
sign and commit


Generate Diffie-Hellman parameters for the keys exchange, 

openssl dhparam -out dh2048.pem 2048


Check that you've got everything, 

cd /etc/ssl/CA/
ls -l cacert.pem
ls -l private/cakey.pem
cd /etc/ssl/CA/certs/
ls -lkF

there should be, 

the crt
the csr
the key



Setup OpenVPN, 

mkdir -p /usr/local/etc/openvpn/
cd /etc/
ln -s /usr/local/etc/openvpn
cd /etc/openvpn/
cp /usr/local/share/examples/openvpn/sample-config-files/server.conf openvpn.conf.dist
cp /usr/local/share/examples/openvpn/sample-config-files/server.conf openvpn.conf
chmod u+w openvpn.conf
vi openvpn.conf


port 1194
proto udp


# (see "pkcs12" directive in man page).
ca /etc/ssl/CA/cacert.pem
cert /etc/ssl/CA/certs/
key /etc/ssl/CA/certs/
crl-verify /etc/ssl/CA/crls/crl.pem
dh /etc/ssl/CA/certs/dh2048.pem


dev tun
;dev tap


ifconfig-pool-persist ipp.txt
;push "route"
keepalive 10 120
cipher BF-CBC
user nobody
group nobody
status openvpn-status.log
verb 6
mute 20
;verb 3

Note. eventually enable route push for the VPN client to access the network behind the VPN server (here 


Enabling the service 

Enable and start the daemon, 

echo 'openvpn_enable="YES"' >> /etc/rc.conf
/usr/local/etc/rc.d/openvpn start

and watch the logs. 


Check the vpn interface, 

ifconfig tun0


Open the 1194 port for UDP on your listening network device. 


Creating client certificates 

Enter the certs (not CA certs) folder and generate a request for a vpn client, 

cd /etc/ssl/certs/
openssl req -nodes -new -keyout sslclient.key -out sslclient.csr

Common Name (e.g. server FQDN or YOUR name) []:public_fqdn_not_mandatory? 

Email Address [] 

(you can specify a password here, it won't be asked when connecting anyway, or no extra attributes...)

Note. You don't have to use your client's public FQDN here (unless tls verify is enabled?) 


Increment the CA serial, 

cat /etc/ssl/CA/serial
#echo 02 > /etc/ssl/CA/serial
echo 03 > /etc/ssl/CA/serial


Sign the request with your own CA, 

  cd /etc/ssl/certs/
openssl ca -out sslclient.crt -in sslclient.csr -policy policy_anything


Secure the files a little bit, 

chown root:nogroup /etc/ssl/CA/cacert.pem
chown root:nogroup /etc/ssl/CA/certs/ssl*
chmod 600 /etc/ssl/CA/certs/ssl*.key


Preparing the Windows OpenVPN client 

On the VPN server, prepare those files to send them to the client, 





tar czf clientcert.tar.gz sslclient.crt sslclient.key ../cacert.pem
(send this to the client host)


Fetch and install [OpenVPN for Windows]( 


Open a command line prompt and proceed, 

cd "C:\Program Files\OpenVPN\config\"

  notepad sslclient.ovpn 


dev tun
proto udp
remote 1194
user nobody
group nobody
ca cacert.pem
cert sslclient.crt
key sslclient.key
cipher BF-CBC
:verb 3
verb 6
mute 20


Linking the networks 

Local network on the client side: 

System's IP on that network: 

Local network on the server side: 

System's IP on that network: 


For the VPN client to connect to the VPN server's network, the push rule in openvpn.conf is enought (and eventually enable ip fwd on the server -- it's not mandatory to access only the server's IP). Verify the routes on the client, on Windows, 

#route add mask metric 1 if DOES NOT WORK MANUALLY
route print

you should have,       1

then try to ping the server's IP on its local network, 



For the VPN server to connect to the VPN client's network,  

cd /etc/openvpn/
mkdir -p ccd/
vi openvpn.conf
client-config-dir ccd

  echo "iroute" > ccd/client 

note. client here corresponds to the common name in the client's certificate, change it accordingly depending on what you entered during the certificate creation. 

note. both route directives are necessary, the server one tells to use tun0 and openvpn, the client one redirects from openvpn to the client. 

restart the daemon and restart the client connection, then try to ping the client local IP from the server, 


check the route, on BSD systems, 

netstat -rn -f inet




If you get this error in the client logs, 

Cannot load certificate file ssl-heg.crt: error:0906D06C:PEM routines:PEM_read_bio:

==> make sure the file is readable and has a non binary content (contains --- CERTIFICATE) 

==> make sure the cert filename points to the right one 


If you get this error in the client logs, 

read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)

==> make sure firewall is open on the server side 



If you get this error in the clients logs, 

TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed

==> you got some restrictive option (probably remote-cert-tls) which indicates that there is something wrong with the certificates, maybe use easy-rsa instead of making it all manually? 


In any case, if you have to enable IP forwarding on the FreeBSD VPN server, 

sysctl -w net.inet.ip.forwarding=1 (temporarily)

and if you have to enable IP forwarding on Windows XP side, 




Installation d’un serveur VPN sous FreeBSD: 


Other resources 



- try bridge mode (tap)