Digital Ocean Private VPN on FreeBSD

So this is a re-write of an old article with a few minor updates, it shows how to configure an OpenVPN server on a Digital Ocean droplet. Digital Ocean provide a public IPV4 and IPV6 address in their lowest plan ($5 per month).

Using a VPN means you can access content that is legally allowed in that country (free to air TV, netflix etc). An OpenVPN server is also great when you need to securely access the internet from insecure places (public WiFi etc).

A VPN allows you to access securely local services running on your droplet such as IRC bouncers, Samba shares etc.

The setup up is pretty simple:
1.) install openvpn via “pkg install openvpn”
2.) add the following to /etc/rc.conf by issuing the command:
# sysrc openvpn_enable=”YES”
# sysrc gateway_enable=”YES”
# sysrc pf_enable=”YES”

3.) copy easyrsa files:
# cp -r /usr/local/share/easy-rsa /usr/local/etc/openvpn/easy-rsa

4.) cd to that directory
Initiate the directory:
# ./easyrsa.real init-pki
Create Certificate Authority
# ./easyrsa.real build-ca
Build certificates:
# ./easyrsa.real build-server-full openvpn-server nopass
Check if it worked:
# ./easyrsa.real show-cert openvpn-server

Build client certificate(s) (without a password! repeat as many times as necessary):
# ./easyrsa.real build-client-full (name) nopass

Finally generate Diffie Hellman file:
# ./easyrsa.real gen-dh

Make the keys directory:
# mkdir /usr/local/etc/openvpn/keys
Move the keys there:
# cp pki/dh.pem \
pki/ca.crt \
pki/issued/openvpn-server.crt \
pki/private/openvpn-server.key \
/usr/local/etc/openvpn/keys
Move these to the client:
pki/ca.crt
pki/issued/.crt
pki/private/.key
ta.key (if configured with TLS)
Change ownership of the directory to secure keys:
# chmod -R 700 /usr/local/etc/openvpn

5.) add the following to /usr/local/etc/openvpn/openvpn.conf

remote-cert-tls client
port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key  # This file should be kept secret
dh /usr/local/etc/openvpn/keys/dh.pem 
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222" # opendns servers
push "dhcp-option DNS 208.67.220.220"
duplicate-cn
keepalive 10 120 # for normal machines
#keepalive 1800 3600 # use this for mobile devices instead
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

6.) start openvpn:
# service openvpn start
7.) Configure pf to do NAT so we can use Digital Oceans internet connection.
/etc/pf.conf:

wan="vtnet0"
tun="tun0"


# options
set block-policy drop

# pass on lo
set skip on lo0
scrub in all

# NAT
nat on $wan from $tun:network to !($wan) -> ($wan)

# default block
block in all

# out is ok
pass in log quick on { $wan $tun } proto { udp tcp } from any to any port 22
pass in log quick on { $wan $tun } proto { udp tcp } from any to any port 1194
pass out log quick all keep state


# pass inet4 and inet6 traffic in on wifi and lan
pass in log on { $wan $tun } inet
pass in log on { $wan $tun } inet6

# icmp all good
pass out log inet proto icmp from any to any keep state
pass in log quick inet proto icmp from any to any keep state

8.) Copy all client keys into a folder and create a file called openvpn.ovpn (compatible with Android client)
openvpn.ovpn:

client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert user1.crt
key user1.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3

Create a zip file for easy distrubition the zip should contain:
ca.crt, openvpn.ovpn, ta.key, user1.crt & user1.key

Unzip it on your phone and select “Import from SD card” select the .ovpn file and press connect.

Now it should work fine!
2017-12-01 22.53.35.png

You can monitor bandwith with pftop:
pftop

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s