This is the procedure for installing, configuring and using a VPN server with OpenVPN on FreeBSD. Tested with OpenVPN 2.6 .10 on FreeBSD 13.2 on 2024-04-26.
Install OpenVPN client on FreeBSD.
Install OpenVPN. The package comes with an OpenVPN client.
# pkg install openvpn
Create a directory for VPN configuration files. Ensure, that login credentials can only be read by the OpenVPN client.
# find / -type d -name '*openvpn*' # mkdir /usr/local/etc/openvpn # chown openvpn:openvpn /usr/local/etc/openvpn
Install VPN configuration file for OpenVPN client on FreeBSD.
Get the VPN configuration file from the website of the VPN service. The configuration file should support FreeBSD or GNU/Linux operating systems. The protocol should be UDP. This ensures, that TCP problems, that can arise from encapsulating TCP packets in TCP packets, is avoided. Copy the VPN configuration file to the OpenVPN directory from above.
# chown openvpn:openvpn /usr/local/etc/openvpn/foobar.ovpn
Configure OpenVPN to start without asking for username and password.
If you want to be able to use VPN without OpenVPN client asking for username and password, then configure it to read the login credentials from a text file.
# nano /usr/local/etc/openvpn/foobar.ovpn auth-user-pass /usr/local/etc/openvpn/foobar.txt
Then store the username and password in the text file. The username on the first line and the password on the next line. Note, that some VPN services provides optional features the VPN service. Such features can be enabled or disabled by modifying the username.
# touch /usr/local/etc/openvpn/foobar.txt # chown openvpn:openvpn /usr/local/etc/openvpn/foobar.txt # nano /usr/local/etc/openvpn/foobar.txt QfHrW8QGf1OYjubt 5r8JzcOBIPNbq6pqhxA0L-FLTVrl4pIl3a0G8qUqyB-DzwFLLfuNlf6j
Configure DNS resolver up scripts for OpenVPN client on FreeBSD.
Ensure, that up scripts, that takes care of DNS resolver configuration, exist. This is not only important for operation, but also for avoiding DNS leak by using an DNS, that is not related to the VPN. The OpenVPN client comes with up and down scripts for this.
# nano /usr/local/etc/openvpn/foobar.ovpn up /usr/local/libexec/openvpn-client.up plugin openvpn-plugin-down-root.so /usr/local/libexec/openvpn-client.down
How to start and stop VPN with OpenVPN on FreeBSD.
Start the VPN by using the OpenVPN client with the VPN configuration file as the argument. Stop the VPN by pressing Ctrl+C.
# openvpn-client /usr/local/etc/openvpn/foobar.ovpn
How to start VPN automatically at boot time on FreeBSD.
Add it to the system configuration.
# nano /etc/rc.conf openvpn_enable="YES" openvpn_configfile="/usr/local/etc/openvpn/foobar.ovpn" openvpn_dir="/usr/local/etc/openvpn"
The VPN can now be started and stopped with the system service utility.
# service openvpn start # service openvpn stop
If a firewall is used, such as PF, then it might be necessary to create an up script, that can reload the firewall script during the startup process.
# nano /usr/local/etc/openvpn/pfreload.sh #!/bin/sh /usr/sbin/service pf reload # chmod 0700 /usr/local/etc/openvpn/pfreload.sh
Add it to the system configuration.
# nano /etc/rc.conf openvpn_flags='--script-security 2 --up "/usr/local/etc/openvpn/pfreload.sh"
Check DNS resolver for DNS leak.
Confirm, that the DNS resolver has been updated, so DNS leak is avoided.
# cat /etc/resolv.conf
Check IP address for VPN.
Go to What is My IP Address? and confirm, that the IP address is related to the VPN server.
More about VPN on FreeBSD.
OpenVPN and PF at startup on FreeBSD Forums. OpenVPN on FreshPorts. Official website for OpenVPN.