visit https://www.elrepo.org

rpm –import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org

Centos6:rpm -Uvh http://www.elrepo.org/elrepo-release-6-8.el6.elrepo.noarch.rpm

Centos7:rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm

yum –enablerepo=elrepo-kernel install kernel-ml -y

vi /boot/grub/grub.conf

default=0

vi /etc/sysctl.conf

net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr

reboot

sysctl net.ipv4.tcp_available_congestion_control

The output should resemble:
net.ipv4.tcp_available_congestion_control = bbr cubic reno

和Centos有点区别。

1. 使用pkg安装openvpn：pkg install openvpn
2. 使用easy-rsa生成数字证书，生成openvpn server配置文件，默认的即可，我们使用udp协议，把服务端口修改为443，这样比较通用。
3. 修改rc.conf，启用pf做nat，启用gateway，增加openvpn配置。pf_enable=”YES”
   pf_rules=”/etc/pf.conf”
   pflog_enable=”YES”
   pflog_logfile=”/var/log/pflog”
   gateway_enable=”YES”
   openvpn_enable=”yes”
   openvpn_configfile=”/usr/local/etc/openvpn/2.0/conf/server.conf”
   openvpn_if=”tun”
4. 增加pf.conf配置文件，这里我们的FreeBSD运行在ESXI上，所以网卡是vmx0，openvpn clients的网络是10.9.0.0/24，服务器的IP地址是192.168.0.99：#/etc/pf.conf
   if=”vmx0″
   vpn_if=”tun0″
   vpn_net = “10.9.0.0/24″icmp_types = “echoreq”
   open_tcp = “{22}”
   open_udp = “{443}”
   # wan ip
   ip = 192.168.0.99
   set block-policy drop
   set skip on lo0
   set limit { states 10000, frags 5000 }
   set loginterface vmx0
   set optimization normal
   set require-order yes
   set fingerprints “/etc/pf.os”
   set ruleset-optimization basicscrub in all fragment reassemble random-idnat on $if from $vpn_net to any -> $ip

   block log all
   block return

   antispoof quick for $if
   pass in quick proto udp from any to port 443 keep state label “openvpn”

   # Pass stuff on the VPN interface
   pass quick on $vpn_if keep state

   pass in on $if proto tcp from any to any port 22 keep state

   pass in on $if proto tcp from any to any port $open_tcp keep state
   pass in on $if proto udp from any to any port $open_udp keep state

   pass out quick all keep state

   pass in on $if inet proto icmp all icmp-type $icmp_types keep state

5. 在sysctl.conf中增加IP forwarding配置：net.inet.ip.forwarding=1
6. 可以启动了：service openvpn start
7. 其实大同小异，不过最近发现zfs和jail都是蛮不错的好东西，大神的设计往往超越了时代，却是那些简陋而充满bug的设计流行于世间。