OpenVPN Server on FreeBSD
和Centos有点区别。
- 使用pkg安装openvpn:pkg install openvpn
- 使用easy-rsa生成数字证书,生成openvpn server配置文件,默认的即可,我们使用udp协议,把服务端口修改为443,这样比较通用。
- 修改rc.conf,启用pf做nat,启用gateway,增加openvpn配置。pf_enable=”YES”
pf_rules=”/etc/pf.conf”
pflog_enable=”YES”
pflog_logfile=”/var/log/pflog”
gateway_enable=”YES”
openvpn_enable=”yes”
openvpn_configfile=”/usr/local/etc/openvpn/2.0/conf/server.conf”
openvpn_if=”tun” - 增加pf.conf配置文件,这里我们的FreeBSD运行在ESXI上,所以网卡是vmx0,openvpn clients的网络是10.9.0.0/24,服务器的IP地址是192.168.0.99:#/etc/pf.conf
if=”vmx0″
vpn_if=”tun0″
vpn_net = “10.9.0.0/24″icmp_types = “echoreq”
open_tcp = “{22}”
open_udp = “{443}”
# wan ip
ip = 192.168.0.99
set block-policy drop
set skip on lo0
set limit { states 10000, frags 5000 }
set loginterface vmx0
set optimization normal
set require-order yes
set fingerprints “/etc/pf.os”
set ruleset-optimization basicscrub in all fragment reassemble random-idnat on $if from $vpn_net to any -> $ipblock log all
block returnantispoof quick for $if
pass in quick proto udp from any to port 443 keep state label “openvpn”# Pass stuff on the VPN interface
pass quick on $vpn_if keep statepass in on $if proto tcp from any to any port 22 keep state
pass in on $if proto tcp from any to any port $open_tcp keep state
pass in on $if proto udp from any to any port $open_udp keep statepass out quick all keep state
pass in on $if inet proto icmp all icmp-type $icmp_types keep state
- 在sysctl.conf中增加IP forwarding配置:net.inet.ip.forwarding=1
- 可以启动了:service openvpn start
- 其实大同小异,不过最近发现zfs和jail都是蛮不错的好东西,大神的设计往往超越了时代,却是那些简陋而充满bug的设计流行于世间。
