How to Install and Configure OpenVPN in FreeBSD 10.2

VPN or Virtual Private Network is a private network across the public network - mean internet. VPN provides a secure network connection over the internet or a private network owned by service provider. VPN is one of the smartest solutions for improving your online "PRIVACY", using some security protocol such as IPSec(Internet Protocol Security), SSL/TLS(Transport Layer Security), PPTP(Point-to-Point Tunneling Protocol), or even you can use SSH(Secure Shell) to secure remote connection, usually called port forwarding - but we do not recommend.

OpenVPN is an open-source project provides a secure connection with virtual private network implemented. It is flexible, reliable and secure. OpenVPN use openssl library to provide secure encryption, and can run under UDP and TCP protocol with IPv4 and IPv6 support. Designed to work with TUN/TAP virtual network interface that available on the most platform. OpenVPN provides many ways for users in it's use, you can use a username/password-based, certificate-based for authentication.

In this tutorial, we will try to install "OpenVPN in FreeBSD 10.2 with certificate-based authentication", so if someone has the certificate, they can use the Our VPN.


  • FreeBSD 10.2
  • Root privileges

Step 1 - Update the System

Before you begin the installation, make sure your system is up to date. Please use "freebsd-update" to update :

freebsd-update fetch
freebsd-update install

Step 2 - Install OpenVPN

You can install open vpn via freebsd ports in directory "/usr/ports/openvpn/" or you can install with binary packages method - with "pkg" command. In this tutorial I use a pkg command. Let`s install with following command :

pkg install openvpn

The command will install "easy-rsa" and "lzo2" packages that needed by openvpn.

Install OpenVPN in FreeBSD

Step 3 - Generate Server Certificate and Keys

We need a "easy-rsa" packages for generating the server key and certificate, and that is installed on our freebsd.

So now please make new directory for openvpn and our key :

mkdir -p /usr/local/etc/openvpn/

Next, copy the easy-rsa directory in "/usr/local/share/" to the openvpn directory :

cp -R /usr/local/share/easy-rsa /usr/local/etc/openvpn/easy-rsa/

Go to the openvpn easy-rsa directory, and then make all file there excutable with "chmod" command.

cd /usr/local/etc/openvpn/easy-rsa/
chmod +x *

You must generate encryption certificate in easy-rsa directory :

. ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/local/etc/openvpn/easy-rsa/keys


Next, we want to generate 4 key and certificate :

  1. CA(Certificate Authority) key
  2. Server key and certificate
  3. Client key and Certificate
  4. DIFFIE-HELLMAN PARAMETERS(necessary for the server end of a SSL/TLS connection)

Generate ca.key

In the easy-rsa directory, please run command above :


Enter your information about the state, country, email etc. You can use a default by press "Enter". That command will generate a ca.key and ca.crt in "keys/" directory.

Generate CA Key for Openvpn

Generate server key and certificate

Generate server key with "build-key-server nameofserverkey", and we use "server" as our server name.

./build-key-server server

Enter your information about the state, country, email etc. You can use a default by press "Enter". And type "y" to confirm all info.

Generate Server Key

Generate the client key and certificate

Generate the client key and certificate with "build-key nameofclientkey" command in easy-rsa directory. In this tutorial, we will use "client" for our client name.

./build-key client

Enter your information about the state, country, email etc. You can use a default by press "Enter". And type "y" to confirm all info.

Generate Client Key

Generate dh parameters

Default key size in freebsd 10.2 for dh parameters is 2048-bit keys. It is a strong, although you can also make more secure and strong by using 4096-bit keys, but it make a slow the handshake process.

Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time

And now all certificate is created under keys directory - "/usr/local/etc/easy-rsa/keys/". And the last you need to copy keys directory to openvpn.

cp -R keys ../../

cd ..

total 40
drwxr-xr-x 4 root wheel 512 Sep 21 00:57 easy-rsa
drwx------ 2 root wheel 512 Sep 21 00:59 keys

Step 4 - Configure OpenVPN

In this step we will configure the openvpn with all key and certificate we have created before. We need to copy the openvpn configuration file from directory "/usr/local/share/examples/openvpn/sample-config-files/" to our openvpn directory "/usr/local/etc/openvpn/".

cp /usr/local/share/examples/openvpn/sample-config-files/server.conf/usr/local/etc/openvpn/server.conf
cd /usr/local/etc/openvpn/

Next, edit "server.conf" file with nano, if you haven't it, please install it with command:

pkg install nano

Now edit the file :

nano -c server.conf

Note: -c for show line number in nano editor.

In the line 32, you need to configure the port that used by openvpn. I will use default port :

port 1194

I'm UDP protocol, it is default configuration, line 36 :

proto UDP

Next, go to line 78 to configure the certificate authority(CA), Server key, Client key and dh parameter.

ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/server.crt
key /usr/local/etc/openvpn/keys/server.key #our server key
dh /usr/local/etc/openvpn/keys/dh2048.pem

And please configure the private ip that using by openvpn and the client in that network, please go to line 101. I will leave default ip.


The last configure the log file in line 280. we will that log file in "/var/log/openvpn/" directory.

status /var/log/openvpn/openvpn-status.log

and in line 289 :

log /var/log/openvpn/openvpn.log

Save and Exit. And now please create the file for store the log :

mkdir -p /var/log/openvpn/
touch /var/log/openvpn/{openvpn, openvpn-status}.log

Step 5 - Enable Port Forwarding and Add OpenVPN to the Startup

To enable port forwrding in freebsd you can use sysctl command :

sysctl net.inet.ip.forwarding=1

Add the openvpn to the boot time by editing "rc.conf" file:

nano rc.conf

add to the end of the line below :


Save and Exit.

Step 6 - Start OpenVPN

start openvpn with service command:

service openvpn start

And check that openvpn is running by checking the port that used by openvpn :

sockstat -4 -l

You can see that port 1194 is opening and used by openvpn.

Step 7 - Configure the Client

As the client, please download the certificate file :

  • ca.crt
  • client.crt
  • client.key

Copy that three file to the home directory, and change the permission to the user that use to login with ssh :

cd /usr/local/etc/openvpn/keys/
cp ca.crt client.crt client.key /home/myuser/
cd /home/myuser/
chown myuser:myuser ca.crt client.crt client.key

And then Download that's certificate to your client, I'm here use Linux so I just need to download it with scp command:

scp myuser@ myvpn/
scp myuser@ myvpn/
scp myuser@ myvpn/

Please create client file configuration :

nano client.ovpn

Please add the code below:

dev tun
proto udp
remote 1194 #ServerIP and Port used by openvpn
resolv-retry infinite
user nobody
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
verb 3

Save and Exit.

Now you see the files that belong to the client :


total 20K
-rw-r--r--. 1 myuser myuser 1.8K Sep 21 03:09 ca.crt
-rw-r--r--. 1 myuser myuser 5.4K Sep 21 03:09 client.crt
-rw-------. 1 myuser myuser 1.7K Sep 21 03:09 client.key
-rw-rw-r--. 1 myuser myuser 213 Sep 20 00:13 client.ovpn

Step 8 - Testing OpenVPN

This is time test the openvpn, please connect to the OpenVPN server with OpenVPN file that we have. And connect with command:

cd myopenvpn/ 
sudo openvpn --config client.ovpn

And we have connected with the vpn, and we have private ip :

Connected to OpenVPN 1

Openvpn Successfully.

Another test :

ping private ip for the client from the freebsd server:


and from the client, I connect to the freebsd server with private ip that running OpenVPN

ssh myuser@
Connected to OpenVPN 2

And all successfully, we are connected.


VPN or Virtual Private Network is a secure and private network in public network(Internet). OpenVPN is an open-source project that implements virtual private network technology, Openvpn secures your traffic and encrypts it use OpenSSL Libraries. OpenVPN is easy to deploy and install in your own server, this is one of the best solutions if you want to protect your online "PRIVACY".

3 Comments... add one

  1. This vpn how-to is out-dated. The Freebsd version of this openvpn port/pkg does have the build-ca, build-key-server, buid-key, build-dh scripts. There is a script called easyrsa.real. You need to update this howto giving command to build keys using this new script easyrsa.real.

  2. It's not recommended to use Easy-RSA as it does not create secure enough certs, nor does it create proper Server and Client certs, or for that matter a proper CA cert. utilizing Easy-RSA is simply being lazy about security, and since one is obviously setting up a VPN for privacy and/or security reasons, let's do this right the first time around. Why OpenVPN refuses to update Easy-RSA to generate proper certs is baffling.

    Additionally, due to the laziness of utilizing Easy-RSA, the Server and Client configs must be configured with obsolete options ( 'ns-cert-type server' in the server config & 'remote-cert-tls' in the client config; ns stands for NetScape Browser). Ditching Easy-RSA for the proper, secure way of generating a CA & certs via an openssl.cnf renders both aforementioned issues moot.

    Due to how overwhelming an openssl.cnf can seem, I built one from the ground up to be security conscious and easy to understand; It can be found on my GitHub (link at bottom), with all commands & information needed starting at line 507. All one needs to do is modify a few lines to fit their environment (such as the SAN profiles).

    When utilizing my openssl.cnf:

    - It properly creates server and client certs with the appropriate KUs & EKUs

    1. Server config then loses "ns-cert-type server" as the server certificate is properly created with the serverAuth EKU

    2. Client config then loses "remote-cert-tls server" and gains "remote-cert-ku f8", as the server certificate has been properly created with the EKU serverAuth, and the client certificate has been properly created with the EKU clientAuth.


  3. Thank you for this How To, it really help me.

    I have two questions:
    - As you said it is possible to ping but I don't get redirection to internet. Isn't something missing in rc.conf?

    - Why you put openvpn_if="tap" being a dev tun configuration?

    Thank you very much


Leave a Comment