Кол-во просмотров: 111

обновлено 26.11.2025

Короче:

pkg install openvpn easy-rsa

mkdir -p /usr/local/etc/openvpn

cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn/server.conf

cp /usr/local/share/easy-rsa/vars.example /usr/local/etc/openvpn/vars

vi /usr/local/etc/openvpn/vars

Подправить следующие переменные:

set_var EASYRSA_REQ_COUNTRY "RU"
set_var EASYRSA_REQ_PROVINCE "Moscow"
set_var EASYRSA_REQ_CITY "Gorod"
set_var EASYRSA_REQ_ORG "Firma"
set_var EASYRSA_REQ_EMAIL "lll@lll.ll"
set_var EASYRSA_REQ_OU "IT"

set_var EASYRSA_NO_PASS 1

set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 3650

cd /usr/local/etc/openvpn
easyrsa init-pki

easyrsa build-ca

easyrsa build-server-full server nopass

easyrsa gen-dh

easyrsa gen-crl

Вариант конфигурации без TLS-шифрования:

vi /usr/local/etc/openvpn/server.conf

 

[spoiler title=’server.conf:’ style=’green’ collapse_link=’true’]

port 1195
proto udp
dev tun

ca /usr/local/etc/openvpn/pki/ca.crt
cert /usr/local/etc/openvpn/pki/issued/server.crt
key /usr/local/etc/openvpn/pki/private/server.key
dh /usr/local/etc/openvpn/pki/dh.pem

topology subnet
server 10.63.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
#push «redirect-gateway def1 bypass-dhcp»
#push «dhcp-option DNS 192.168.37.1»
#push «dhcp-option DNS 77.88.8.7»

keepalive 10 120
cipher AES-256-CBC
#user nobody
#group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 4
explicit-exit-notify 1
auth sha512

[/spoiler]

Например:

service openvpn enable
service openvpn start

Готов сервер!

Возможные ошибки при запуске службы сервера openvpn:

/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn

Смотри причины в журнале:

tail -f - n 100 /var/log/messages

Историческая справка: C 2016 года с easyrsa произошли метаморфозы, теперь работает без «sh ./easyrsa.real», сейчас просто пиши «easyrsa», например: «easyrsa init-pki». Руководство: https://github.com/OpenVPN/easy-rsa/blob/master/doc/EasyRSA-Readme.md

Создание ключей клиенту:

easyrsa build-client-full nameclient nopass

Конфигурация клиента:

client
proto udp
dev tun0
ca ca.crt
cert nameclient.crt
key nameclient.key
remote 83.220.87.1 1195
#cipher AES-256-CBC
#remote-cert-tls client
verb 3
mute 20
keepalive 20 120
persist-key
persist-tun
float
resolv-retry infinite
nobind

 

Вариант настроек сервера с TLS:

The configurations Added 2025-03-24.

[spoiler title=’/usr/local/etc/openvpn/openvpn.conf’ style=’green’ collapse_link=’true’]

# this is the device used
dev tun2

verb 4
dev-type tun

writepid /var/run/openvpn_server2.pid
script-security 3
daemon
keepalive 10 60

ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA256

# these don’t do much. I’m sure I can get rid of them
client-connect /usr/local/sbin/serverlocal-events.sh
client-disconnect /usr/local/sbin/serverlocal-events.sh

# Enable TLS and assume server role during TLS handshake
tls-server

# this configures OpenVPN into server mode
# openvpn_server_ip4 is the IP address the server takes for itself
server 10.8.1.0 255.255.255.0

# All the client specific configurations
client-config-dir /usr/local/etc/openvpn/ccd

# server routes
push «route 10.55.0.0 255.255.255.0»

# These are used by the laptops / Viscosity
push «dhcp-option DNS 10.55.0.1»
push «dhcp-option DNS 10.55.0.73»
push «dhcp-option DNS 10.55.0.13»

# template all the things
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/server.crt
key /usr/local/etc/openvpn/keys/server.key

dh /usr/local/etc/openvpn/dh2048.pem

# secret key, same value on client and server
tls-auth /usr/local/etc/openvpn/keys/ta.key 0

data-ciphers AES-256-GCM:AES-128-GCM:ChaCha20-Poly1305
data-ciphers-fallback ChaCha20-Poly1305
allow-compression no

topology subnet

# custom options section of pfSense configuration starts here:
# bunch of endpoints

# Client routes

#
# tallboy
#
route 10.70.0.0 255.255.255.0
push «route 10.70.0.0 255.255.255.0»

# other client routes redacted here.

# keep tun around during restart
persist-tun

# short status file
status /var/run/openvpn-status.log

# replay protection sliding-window size and time window
replay-window 128 60

# From mzar #FreeBSD on Libera.chat on 2025-03-10
tun-mtu 1400

# Let peers know we’re going away
# this encourages them to reconnect right away instead of waiting for a timeout
explicit-exit-notify 1

client-to-client

[/spoiler]

Клиентская настройка:

[spoiler title=’connect_tls.ovpn’ style=’green’ collapse_link=’true’]

client
dev tun
proto udp
remote foo.example.net 1194
resolv-retry infinite
nobind
#user openvpn
#group openvpn
persist-key
persist-tun
pull
remote-cert-tls server
tls-auth /usr/local/etc/openvpn/keys/ta.key 1
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/client.crt
key /usr/local/etc/openvpn/keys/client.key
verb 4

cipher AES-256-CBC
auth SHA256

[/spoiler]

Источник: https://dan.langille.org/2025/03/10/get-faster-openvpn-on-freebsd-by-enabling-dco-easily-done/