Solved OpenVPN on FreeBSD 11

riba · Jan 7, 2017

I am trying to setup OpenVPN server on FreeBSD 11 but I am not able to access Internet from Linux client. Ping an SSH connection to VPN server works.
I am using the same config with different OpenVPN server running on CentOS without any problems.
No firewall yet on either side.

Error log on client side:

Code:

Sat Jan  7 16:04:49 2017 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb  2 2016
Sat Jan  7 16:04:49 2017 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Sat Jan  7 16:04:49 2017 Control Channel Authentication: using '/etc/openvpn/ta.key' as a OpenVPN static key file
Sat Jan  7 16:04:49 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jan  7 16:04:49 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jan  7 16:04:49 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sat Jan  7 16:04:49 2017 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sat Jan  7 16:04:49 2017 UDPv4 link local: [undef]
Sat Jan  7 16:04:49 2017 UDPv4 link remote: [AF_INET]46.36.37.184:1196
Sat Jan  7 16:04:49 2017 TLS: Initial packet from [AF_INET]46.36.37.184:1196, sid=46bf2bb2 959f8b29
Sat Jan  7 16:04:49 2017 VERIFY OK: depth=1, CN=ChangeMe
Sat Jan  7 16:04:49 2017 Validating certificate key usage
Sat Jan  7 16:04:49 2017 ++ Certificate has key usage  00a0, expects 00a0
Sat Jan  7 16:04:49 2017 VERIFY KU OK
Sat Jan  7 16:04:49 2017 Validating certificate extended key usage
Sat Jan  7 16:04:49 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Jan  7 16:04:49 2017 VERIFY EKU OK
Sat Jan  7 16:04:49 2017 VERIFY OK: depth=0, CN=server
Sat Jan  7 16:04:49 2017 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sat Jan  7 16:04:49 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jan  7 16:04:49 2017 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sat Jan  7 16:04:49 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jan  7 16:04:49 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sat Jan  7 16:04:49 2017 [server] Peer Connection Initiated with [AF_INET]46.36.37.184:1196
Sat Jan  7 16:04:51 2017 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Jan  7 16:04:51 2017 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,
Sat Jan  7 16:04:51 2017 OPTIONS IMPORT: timers and/or timeouts modified
Sat Jan  7 16:04:51 2017 OPTIONS IMPORT: --ifconfig/up options modified
Sat Jan  7 16:04:51 2017 OPTIONS IMPORT: route options modified
Sat Jan  7 16:04:51 2017 OPTIONS IMPORT: route-related options modified
Sat Jan  7 16:04:51 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Jan  7 16:04:51 2017 OPTIONS IMPORT: peer-id set
Sat Jan  7 16:04:51 2017 OPTIONS IMPORT: adjusting link_mtu to 1561
Sat Jan  7 16:04:51 2017 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=eth0 HWADDR=40:16:7e:25:a3:a4
Sat Jan  7 16:04:51 2017 TUN/TAP device tun0 opened
Sat Jan  7 16:04:51 2017 TUN/TAP TX queue length set to 100
Sat Jan  7 16:04:51 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Jan  7 16:04:51 2017 /sbin/ip link set dev tun0 up mtu 1500
Sat Jan  7 16:04:51 2017 /sbin/ip addr add dev tun0 10.0.24.2/24 broadcast 10.0.24.255
Sat Jan  7 16:04:51 2017 /sbin/ip route add 46.36.37.184/32 via 192.168.0.1
RTNETLINK answers: File exists
Sat Jan  7 16:04:51 2017 ERROR: Linux route add command failed: external program exited with error status: 2
Sat Jan  7 16:04:51 2017 /sbin/ip route add 0.0.0.0/1 via 10.0.24.1
Sat Jan  7 16:04:51 2017 /sbin/ip route add 128.0.0.0/1 via 10.0.24.1
Sat Jan  7 16:04:51 2017 UID set to nobody
Sat Jan  7 16:04:51 2017 Initialization Sequence Completed

Server:

Code:

root@vpn:/var/log # uname -a
FreeBSD vpn 11.0-RELEASE-p2 FreeBSD 11.0-RELEASE-p2 #0: Mon Oct 24 06:55:27 UTC 2016     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

Server OpenVPN version:

Code:

root@vpn:/var/log # openvpn --version
OpenVPN 2.4.0 amd64-portbld-freebsd11.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jan  7 2017
library versions: OpenSSL 1.0.2j-freebsd  26 Sep 2016, LZO 2.09
Originally developed by James Yonan
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=yes enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no

Server interface:

Code:

root@vpn:/var/log # ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
   options=80000<LINKSTATE>
   inet 10.0.24.1 --> 10.0.24.2  netmask 0xffffff00
   nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
   groups: tun
   Opened by PID 856

Server routing:

Code:

root@vpn:/var/log # netstat -nr4
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            46.36.37.1         UGS         re0
10.0.24.0/24       10.0.24.2          UGS        tun0
10.0.24.1          link#3             UHS         lo0
10.0.24.2          link#3             UH         tun0
46.36.37.0/24      link#1             U           re0
46.36.37.184       link#1             UHS         lo0
127.0.0.1          link#2             UH          lo0

Server OpenVPN config file:

Code:

port 1196
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
topology subnet
server 10.0.24.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
crl-verify crl.pem
log-append /var/log/openvpn/openvpn.log

Client OpenVPN version:

Code:

root@riba:/etc/openvpn# openvpn --version
OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb  2 2016
library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_maintainer_mode=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_sysroot=no

Client config:

Code:

client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote 46.36.37.184 1196
resolv-retry infinite
nobind
user nobody
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
key-direction 1
verb 3
log-append   /var/log/openvpn/openvpn.log

ca /etc/openvpn/ca.crt
cert /etc/openvpn/riba.crt
key /etc/openvpn/riba.key
tls-auth /etc/openvpn/ta.key 1

Client inteface:

Code:

root@riba:/etc/openvpn# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.0.24.2  P-t-P:10.0.24.2  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:260 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:18107 (18.1 KB)

Client routing:

Code:

root@riba:/etc/openvpn# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.24.1       128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.0.1     0.0.0.0         UG    100    0        0 eth0
10.0.24.0       0.0.0.0         255.255.255.0   U     0      0        0 tun0
46.36.37.184    192.168.0.1     255.255.255.255 UGH   0      0        0 eth0
128.0.0.0       10.0.24.1       128.0.0.0       UG    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     100    0        0 eth0

aribi · Jan 8, 2017

Your intent seems to be that your OpenVPN server should also act as internet gateway.
This is not the case in your setup, as your client does not have a default route via your OpenVPN server.
OpenVPN documentation states:

By default, when an OpenVPN client is active, only network traffic to and from the OpenVPN server site will pass over the VPN. General web browsing, for example, will be accomplished with direct connections that bypass the VPN.

Instructions beyond this quote at https://openvpn.net/index.php/open-source/documentation/howto.html seem present in your config.
Your client seems to pickup the gateway but has no route to it and it is not set as default gateway.
Perhaps you need to set route-gateway in your client conf

BTW. Your server is in forwarding mode? And it does NAT?

riba · Jan 9, 2017

My intent is to route all Internet traffic from client through VPN server.

I am not that comfortable with network stuff but as far as I understand, this config option should set default route for the client:

Code:

push "redirect-gateway def1 bypass-dhcp"

aribi said:
BTW. Your server is in forwarding mode? And it does NAT?

I am not sure I understand what exactly do you mean by any of this but server is KVM VPS, no NAT.

aribi · Jan 9, 2017

Here is a picture of what I think you are trying to accomplish:

Code:

Linux    VPN           FreeBSD        RemoteLan  Default     Rest of
Client-----------------Server--------------------Gateway-----Internet
10.0.24.2       10.0.24.1/46.36.37.184           46.36.37.1

Your Server needs to Translate Network Addresses (NAT) from your private network (10.0.24.x) to the public network (46.36.37.x), because private network addresses are forbidden to be routed over public gateways.
If all this does not make sense, you might want to checkout pfsense (https://pfsense.org/) because it is more suitable for novice users.
For instructions on getting this to work on your existing server please read
29.3.3.1. A Simple Gateway with NAT at https://www.freebsd.org/doc/handbook/firewalls-pf.html

riba · Jan 12, 2017

thank you for pointing me to the right direction

I setup pf(4) with following rules and it works now:

Code:

ext_if="re0"
int_if="tun0"
localnet = $int_if:network
nat on $ext_if from $localnet to any -> ($ext_if)
pass from { lo0, $localnet } to any keep state

Greg Balogh · Mar 12, 2017

Hi there, just out of curiosity - what speed are you able to achive with the above config? Wondering, as i am only able to get 50KB-150KB no matter what i try, while both my and my VPS's network speed are ok w/o VPN.

riba · Mar 16, 2017

I get around 20Mbits/s (per iperf3(1))

just for the record, I changed pf(4) settings since my previous post:

Code:

vpnclients = "10.0.24.0/24"
ext_if="re0"
vpn_int="tun0"

udp_services = "{1196 1123}"
icmptypes = "{echoreq, unreach}"

set skip on lo
nat on $ext_if inet from $vpnclients to any -> $ext_if
block in

pass in on $ext_if proto udp from any to $ext_if port $udp_services
pass in on $ext_if proto tcp from any to $ext_if port $udp_services

pass out quick
pass in on $vpn_int from any to any
pass in inet proto icmp all icmp-type $icmptypes

ab2k · Mar 16, 2017

Hi, which hardware are you using to run security/openvpn server on ?

riba · Mar 17, 2017

it is just for my personal use with 3 clients so it runs on the smallest VPS with 1 vCPU (Xeon E5-2630-v4 @ 2.20GHz) and 512MB RAM.

ab2k · Mar 17, 2017

Hi, it's more than enough to have a better speeds... try to

Code:

kldload aesni

then restart security/openvpn server and try again.

riba · Mar 17, 2017

thank you for suggestion but it does not change speed at all.

fongaboo · Aug 26, 2017

riba said:
thank you for pointing me to the right direction

I setup pf(4) with following rules and it works now:

Code:

ext_if="re0" int_if="tun0" localnet = $int_if:network nat on $ext_if from $localnet to any -> ($ext_if) pass from { lo0, $localnet } to any keep state

I tried this tutorial initially with no luck. I connect fine to the server, but can't reach the Internet through its gateway. I switched to PF to try your suggestion, but clients still can't see the WAN??