Cover Image

Sette opp OpenVPN på FreeBSD
 Mon 2019-05-20    VPN

Sette opp OpenVPN på FreeBSD

I en tidligere post satt jeg opp en torrentbox basert på rTorrent og FreeBSD. For å sikre seg litt bedre mot ymse, kan det være en fordel å sette opp en VPN-løsning torrenttrafikken kan gå over. På FreeBSD er dette relativt enkelt:

$ sudo pkg install openvpn

Så trenger man en configfil; denne får man fra VPN-tilbyderen sin. Jeg bruker Mullvad, og via config-fil-generatoren deres (for Android, av alle ting) fikk jeg følgende fil:

client
dev tun
proto udp

remote no.mullvad.net 1194

cipher AES-256-CBC
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
remote-cert-tls server
ping 10
ping-restart 60
sndbuf 524288
rcvbuf 524288

fast-io

auth-user-pass
reneg-sec 0
tun-ipv6
<ca>
-----BEGIN CERTIFICATE-----
MIIGIzCCBAugAwIBAgIJAK6BqXN9GHI0MA0GCSqGSIb3DQEBCwUAMIGfMQswCQYD
VQQGEwJTRTERMA8GA1UECAwIR290YWxhbmQxEzARBgNVBAcMCkdvdGhlbmJ1cmcx
Ga8FG21Xy/f4rPqwcW54lxrnnh0SA0hwuZ+b2yAWESBXPxrzVQdTWCqoFI6/aRnN
8RyZn0LqRYoW7WDtKpLmfyvshBmmu4PCYSh/SYiFHgR9fsWzVcxdySDsmX8wXowu
FDASBgNVBAoMC0FtYWdpY29tIEFCMRAwDgYDVQQLDAdNdWxsdmFkMRswGQYDVQQD
DBJNdWxsdmFkIFJvb3QgQ0EgdjIxIzAhBgkqhkiG9w0BCQEWFHNlY3VyaXR5QG11
bGx2YWQubmV0MB4XDTE4MTEwMjExMTYxMVoXDTI4MTAzMDExMTYxMVowgZ8xCzAJ
LbMZRCAGuI+Jek6caHqiKjTHtujn6Gfxv2WsZ7SjerUAk+mvBo2sfKmB7octxG7y
AOFFg7YsWL0AxddBWqgq5R/1WDJ9d1Cwun9WGRRQ1TLvzF1yABUerjjKrk89RCzY
ISwsKcgJPscaDqZgO6RIruY/xjuTtrnZSv+FXs+Woxf87P+QgQd76LC0MstTnys+
BgNVBAYTAlNFMREwDwTHISISNOTAVALIDCERTIFICATEA1UEBwwKR290aGVuYnVy
ZzEUMBIGA1UECgwLQW1hZ2ljb20gQUIxEDAOBgNVBAsMB011bGx2YWQxGzAZBgNV
BAMMEk11bGx2YWQgUm9vdCBDQSB2MjEjMCEGCSqGSIb3DQEJARYUc2VjdXJpdHlA
bXVsbHZhZC5uZXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCifDn7
5E/Zdx1qsy31rMEzuvbTXqZVZp4bjWbmcyyXqvnayRUHHoovG+lzc+HDL3HJV+kj
xKpCMkEVWwjY159lJbQbm8kkYntBBREdzRRjjJpTb6haf/NXeOtQJ9aVlCc4dM66
bEmyAoXkzXVZTQJ8h2FE55KVxHi5Sdy4XC5zm0wPa4DPDokNp1qm3A9Xicq3Hsfl
xNgY3Pahnj1yfG75Yw82spZanUH0QSNoMVMWnmV2hXGsWqypRq0pH8mPeLzeKa82
gzsAZsouRD1k8wFlYA4z9HQFxqfcntTqXuwQcQIDAQABo2AwXjAdBgNVHQ4EFgQU
faEyaBpGNzsqttiSMETHISISNOTAVALIDCERTIFICATEfaEyaBpGNzsqttiSMETq
+X/GJ0YwCwYDVR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggIBADH5izxu4V8Javal8EA4DxZxIHUsWCg5cuopB28PsyJYpyKipsBoI8+R
AfTMuMPOLy9fMfEzs3LP0Nz6v5yjhX8ff7+3UUI3IcMxCvyxdTPClY5IvFdW7CCm
mLNzakmx5GCItBWg/EIg1K1SG0jU9F8vlNZUqLKz42hWy/xB5C4QYQQ9ILdu4ara
PnrXnmd1D1QKVwKQ1DpWhNbpBDfE776/4xXD/tGM5O0TImp1NXul8wYsDi8g+e0p
XqbtrLLue4WQfNPZHLXlKi+A3GTrLdlnenYzXVipPd+n3vRZyofaB3Jtb03nirVW
Ffp8V9sFhD4TsebAaplaICOuLUgj+Yin5QzgB0F9Ci3Zh6oWwl64SL/OxxQLpzMW
zr0lrWsQrS3PgC4+6JC4IpTXX5eUqfSvHPtbRKK0yLnd9hYgvZUBvvZvUFR/3/fW
+mpBHbZJBu9+/1uux46M4rJ2FeaJUf9PhYCPuUj63yu0Grn0DreVKK1SkD5V6qXN
0TmoxYyguhfsIPCpI1VsdaSWuNjJ+a/HIlKIU8vKp5iN/+6ZTPAg9Q7s3Ji+vfx/
AhFtQyTpIYNszVzNZyobvkiMUlK+eUKGlHVQp73y6MmGIlbBbyzpEoedNU4uFu57
mw4fYGHqYZmYqFaiNQv4tVrGkg6p+Ypyu1zOfIHF7eqlAOu/SyRTvZkt9VtSVEOV
H7nDIGdrCC9U/g1Lqk8Td00Oj8xesyKzsG214Xd8m7/7GmJ7nXe5
-----END CERTIFICATE-----
</ca>

tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA

Denne filen inneholder Mullvads sertifikater for autentisering mot deres endpoints, slik at man slipper ha en røys filer å holde styr på. Jeg tror denne måten å gjøre det på krever en noenlunde moderne versjon av OpenVPN, men den som blir installert på FreeBSD støtter det i alle fall.

Jeg opprettet /etc/private/openvpn og kalte filen mullvad_no.conf. Man kan opprette mappestrukturen hvor som helst og kalle filen hva som helst, men jeg liker å gjøre det enkelt for meg selv.

Jeg endret en linje i configen over; auth-user-pass til auth-user-pass mullvad_userpass.txt. mullvad_userpass.txt inneholder brukernavn og passord på hver sin linje, og ingenting annet.

chmod filen slik at ikke utenforstående får tilgang til den.

Test at det virker:

$ sudo openvpn-client /etc/private/openvpn/mullvad_no.conf

Du skal da få output tilsvarende dette:

Mon May 20 21:36:03 2019 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
Mon May 20 21:36:03 2019 WARNING: file 'mullvad_userpass.txt' is group or others accessible
Mon May 20 21:36:03 2019 OpenVPN 2.4.7 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May 16 2019
Mon May 20 21:36:03 2019 library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10
Mon May 20 21:36:03 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon May 20 21:36:03 2019 PLUGIN_INIT: POST openvpn-plugin-down-root.so '[openvpn-plugin-down-root.so] [/usr/local/libexec/openvpn-client.down]' intercepted=PLUGIN_UP|PLUGIN_DOWN
Mon May 20 21:36:03 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]91.90.44.14:1194
Mon May 20 21:36:03 2019 Socket Buffers: R=[42080->524288] S=[9216->524288]
Mon May 20 21:36:03 2019 UDP link local: (not bound)
Mon May 20 21:36:03 2019 UDP link remote: [AF_INET]91.90.44.14:1194
Mon May 20 21:36:03 2019 TLS: Initial packet from [AF_INET]91.90.44.14:1194, sid=dc6d8313 0611f261
Mon May 20 21:36:03 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon May 20 21:36:03 2019 VERIFY OK: depth=2, C=SE, ST=Gotaland, L=Gothenburg, O=Amagicom AB, OU=Mullvad, CN=Mullvad Root CA v2, emailAddress=security@mullvad.net
Mon May 20 21:36:03 2019 VERIFY OK: depth=1, C=SE, ST=Gotaland, O=Amagicom AB, OU=Mullvad, CN=Mullvad Transition-Intermediate CA v1, emailAddress=security@mullvad.net
Mon May 20 21:36:03 2019 VERIFY KU OK
Mon May 20 21:36:03 2019 Validating certificate extended key usage
Mon May 20 21:36:03 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon May 20 21:36:03 2019 VERIFY EKU OK
Mon May 20 21:36:03 2019 VERIFY OK: depth=0, C=SE, ST=Gotaland, O=Amagicom AB, OU=Mullvad, CN=no-osl-004.mullvad.net, emailAddress=security@mullvad.net
Mon May 20 21:36:03 2019 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558'
Mon May 20 21:36:03 2019 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Mon May 20 21:36:03 2019 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Mon May 20 21:36:03 2019 [no-osl-004.mullvad.net] Peer Connection Initiated with [AF_INET]91.90.44.14:1194
Mon May 20 21:36:05 2019 SENT CONTROL [no-osl-004.mullvad.net]: 'PUSH_REQUEST' (status=1)
Mon May 20 21:36:05 2019 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.8.0.1,redirect-gateway def1 bypass-dhcp,route-ipv6 0000::/2,route-ipv6 4000::/2,route-ipv6 8000::/2,route-ipv6 C000::/2,comp-lzo no,route-gateway 10.8.0.1,topology subnet,socket-flags TCP_NODELAY,ifconfig-ipv6 fdda:d0d0:cafe:1194::1003/64 fdda:d0d0:cafe:1194::,ifconfig 10.8.0.5 255.255.0.0,peer-id 2,cipher AES-256-GCM'
Mon May 20 21:36:05 2019 OPTIONS IMPORT: compression parms modified
Mon May 20 21:36:05 2019 OPTIONS IMPORT: --socket-flags option modified
Mon May 20 21:36:05 2019 NOTE: setsockopt TCP_NODELAY=1 failed
Mon May 20 21:36:05 2019 OPTIONS IMPORT: --ifconfig/up options modified
Mon May 20 21:36:05 2019 OPTIONS IMPORT: route options modified
Mon May 20 21:36:05 2019 OPTIONS IMPORT: route-related options modified
Mon May 20 21:36:05 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon May 20 21:36:05 2019 OPTIONS IMPORT: peer-id set
Mon May 20 21:36:05 2019 OPTIONS IMPORT: adjusting link_mtu to 1624
Mon May 20 21:36:05 2019 OPTIONS IMPORT: data channel crypto options modified
Mon May 20 21:36:05 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon May 20 21:36:05 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon May 20 21:36:05 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon May 20 21:36:05 2019 ROUTE_GATEWAY 192.168.2.13/255.255.255.0 IFACE=hn0 HWADDR=00:15:5d:02:08:32
Mon May 20 21:36:05 2019 GDG6: remote_host_ipv6=n/a
Mon May 20 21:36:05 2019 GDG6: problem writing to routing socket
Mon May 20 21:36:05 2019 ROUTE6: default_gateway=UNDEF
Mon May 20 21:36:05 2019 TUN/TAP device /dev/tun0 opened
Mon May 20 21:36:05 2019 /sbin/ifconfig tun0 10.8.0.5 10.8.0.1 mtu 1500 netmask 255.255.0.0 up
Mon May 20 21:36:05 2019 /sbin/route add -net 10.8.0.0 10.8.0.1 255.255.0.0
add net 10.8.0.0: gateway 10.8.0.1
Mon May 20 21:36:05 2019 /sbin/ifconfig tun0 inet6 fdda:d0d0:cafe:1194::1003/64
Mon May 20 21:36:05 2019 PLUGIN_CALL: POST openvpn-plugin-down-root.so/PLUGIN_UP status=0
Mon May 20 21:36:05 2019 /usr/local/libexec/openvpn-client.up tun0 1500 1552 10.8.0.5 255.255.0.0 init
Mon May 20 21:36:05 2019 /sbin/route add -net 91.90.44.14 192.168.2.13 255.255.255.255
add net 91.90.44.14: gateway 192.168.2.13
Mon May 20 21:36:05 2019 /sbin/route add -net 0.0.0.0 10.8.0.1 128.0.0.0
add net 0.0.0.0: gateway 10.8.0.1
Mon May 20 21:36:05 2019 /sbin/route add -net 128.0.0.0 10.8.0.1 128.0.0.0
add net 128.0.0.0: gateway 10.8.0.1
Mon May 20 21:36:05 2019 add_route_ipv6(::/2 -> fdda:d0d0:cafe:1194:: metric -1) dev tun0
Mon May 20 21:36:05 2019 /sbin/route add -inet6 ::/2 -iface tun0
add net ::/2: gateway tun0
Mon May 20 21:36:05 2019 add_route_ipv6(4000::/2 -> fdda:d0d0:cafe:1194:: metric -1) dev tun0
Mon May 20 21:36:05 2019 /sbin/route add -inet6 4000::/2 -iface tun0
add net 4000::/2: gateway tun0
Mon May 20 21:36:05 2019 add_route_ipv6(8000::/2 -> fdda:d0d0:cafe:1194:: metric -1) dev tun0
Mon May 20 21:36:05 2019 /sbin/route add -inet6 8000::/2 -iface tun0
add net 8000::/2: gateway tun0
Mon May 20 21:36:05 2019 add_route_ipv6(c000::/2 -> fdda:d0d0:cafe:1194:: metric -1) dev tun0
Mon May 20 21:36:05 2019 /sbin/route add -inet6 c000::/2 -iface tun0
add net c000::/2: gateway tun0
Mon May 20 21:36:05 2019 Initialization Sequence Completed

Kommer du til "Initialization Sequence Completed" er du i mål og det funker som det skal. Trykk ctrl-c for å avslutte klienten.

Neste steg er å starte openvpn automatisk ved systemstart:

# sysrc openvpn_enable=yes
# sysrc openvpn_configfile=/etc/private/openvpn/mullvad_no.conf
# sysrc openvpn_dir=/etc/private/openvpn

Test igjen, denne gangen via service(8):

# service openvpn start

Du skal da se

Starting openvpn.

og ikke noe annet.

tail /var/log/messages skal vise "Initialization Sequence Completed".

Test at du ikke viser din vanlige IP-adresse utad (for Mullvad-brukere; brukere av andre VPN-tilbydere vil sannsynligvis ha tilsvarende testsider):

# curl https://am.i.mullvad.net
91.90.44.24

Ser du en annen IP-adresse enn en fra ISPen din sitt nett, er du ferdig. Siste test er å reboote serveren for å sjekke at openvpn (og andre tjenester) starter som de skal.