Digital Ocean Private VPN on FreeBSD

So this is a re-write of an old article with a few minor updates, it shows how to configure an OpenVPN server on a Digital Ocean droplet. Digital Ocean provide a public IPV4 and IPV6 address in their lowest plan ($5 per month).
Using a VPN means you can access content that is legally allowed in that country (free to air TV, netflix etc). An OpenVPN server is also great when you need to securely access the internet from insecure places (public WiFi etc).
A VPN allows you to access securely local services running on your droplet such as IRC bouncers, Samba shares etc.
The setup up is pretty simple:
1.) install openvpn via “pkg install openvpn”
2.) add the following to /etc/rc.conf by issuing the command:
# sysrc openvpn_enable=”YES”
# sysrc gateway_enable=”YES”
# sysrc pf_enable=”YES”
3.) copy easyrsa files:
# cp -r /usr/local/share/easy-rsa /usr/local/etc/openvpn/easy-rsa
4.) cd to that directory
Initiate the directory:
# ./easyrsa.real init-pki
Create Certificate Authority
# ./easyrsa.real build-ca
Build certificates:
# ./easyrsa.real build-server-full openvpn-server nopass
Check if it worked:
# ./easyrsa.real show-cert openvpn-server
Build client certificate(s) (without a password! repeat as many times as necessary):
# ./easyrsa.real build-client-full (name) nopass
Finally generate Diffie Hellman file:
# ./easyrsa.real gen-dh
Make the keys directory:
# mkdir /usr/local/etc/openvpn/keys
Move the keys there:
# cp pki/dh.pem \
pki/ca.crt \
pki/issued/openvpn-server.crt \
pki/private/openvpn-server.key \
Move these to the client:
ta.key (if configured with TLS)
Change ownership of the directory to secure keys:
# chmod -R 700 /usr/local/etc/openvpn
5.) add the following to /usr/local/etc/openvpn/openvpn.conf
remote-cert-tls client
port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key # This file should be kept secret
dh /usr/local/etc/openvpn/keys/dh.pem
topology subnet
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS" # opendns servers
push "dhcp-option DNS"
keepalive 10 120 # for normal machines
#keepalive 1800 3600 # use this for mobile devices instead
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
user nobody
group nobody
status openvpn-status.log
verb 3
explicit-exit-notify 1
6.) start openvpn:
# service openvpn start
7.) Configure pf to do NAT so we can use Digital Oceans internet connection.
# options
set block-policy drop
# pass on lo
set skip on lo0
scrub in all
nat on $wan from $tun:network to !($wan) -> ($wan)
# default block
block in all
# out is ok
pass in log quick on { $wan $tun } proto { udp tcp } from any to any port 22
pass in log quick on { $wan $tun } proto { udp tcp } from any to any port 1194
pass out log quick all keep state
# pass inet4 and inet6 traffic in on wifi and lan
pass in log on { $wan $tun } inet
pass in log on { $wan $tun } inet6
# icmp all good
pass out log inet proto icmp from any to any keep state
pass in log quick inet proto icmp from any to any keep state
8.) Copy all client keys into a folder and create a file called openvpn.ovpn (compatible with Android client)
dev tun
proto udp
remote 1194
resolv-retry infinite
user nobody
group nogroup
ca ca.crt
cert user1.crt
key user1.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
Create a zip file for easy distrubition the zip should contain:
ca.crt, openvpn.ovpn, ta.key, user1.crt & user1.key
Unzip it on your phone and select “Import from SD card” select the .ovpn file and press connect.
Now it should work fine!
2017-12-01 22.53.35.png
You can monitor bandwith with pftop:

Leave a comment

Your email address will not be published. Required fields are marked *