I wanted a quick and easy way to VPN into my house from anywhere. Enter OpenVPN an Open source VPN solution was perfect for what I needed. What I wanted to do is setup a VPN client on my laptop so I could get into my home network. I found Tunnelblick client for Mac OS X. There is an OpenVPN client for windows as well.
See http://openvpn.se/ for details.
There is two modes to run OpenVPN in Tap or Tun this is import to understanding how openvpn works.
Here is a excerpt from the OpenVPN FAQ
"The difference between a tun and tap device is this: a tun device is a virtual IP point-to-point device and a tap device is a virtual Ethernet device. So getting back to the "long cable" analogy, using a tun device would be like having a T1 cable connecting the computers and using a tap device would be like having an Ethernet network connecting the two computers. People who are running applications that need the special features of Ethernet (which won't work on an IP-only network) will often bridge their physical local Ethernet with a tap device (using a utility such as brctl on Linux), then VPN the tap device to another similar setup at the other end. This allows OpenVPN to route Ethernet broadcasts and non-IP protocols such as Windows NetBIOS over the VPN. If you don't need the special features of Ethernet (such as bridging capability), it's better to use a tun device."
Setting up The Server
Setting up the CA for easy-rsa that comes with OpenVPN.
The easy-rsa directory can usually be found in /usr/share/doc/packages/openvpn or /usr/share/doc/openvpn-2.0
Make sure all the scripts that are running are chmod 755 so they get executed properly. Running the vars script sets up the directory to store the keys and such but you might have to create the directory.
. ./vars
./clean-all
./build-ca
Walk through the steps on setting up the CA.
For example common name should be a domain named mycompany.org.
Make sure you don’t do host.mycompany.org just mycompany.org for the common name setting up the CA.
Ok now the server CA key is setup lets work on the Server keys
./build-key-server server.mycompany.org
Ok now lets build the client key.
./build-key client1.mycompany.org
Move the CA.crt and Server.crt and key to your ~/Library/OpenVPN directory on the Mac.
Now lets look at the server configuration
Here is my server config and I will break it down so it makes sense.
#daemon means it running in daemon mode
daemon
port 4444
proto udp
# Dev Tun interface
dev tun
#Server External IP Address
local 67.180.145.190 1194
#Tls protocol
tls-server
# CA Cert
ca ca.crt
cert mycert.company.com.crt
key mycert.company.com.key
dh dh1024.pem
#Server internal IP Adress
server 192.168.3.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
#pushes the route route to the client
push "route 192.168.10.0 255.255.255.0"
keepalive 10 120
persist-key
persist-tun
comp-lzo
status /var/log/openvpn-status.log
verb 3
mute 20
Setting up the client
OK at this time download the tunnelblick client dmg and install it.
The Client configuration goes in ~/Library/openvpn/
Become root on your machine
sudo bash
cd ~/Library/openvpn
Mv openvpn.conf to openvpn.org
Create the configuration with the following entries.
Client Config
# Remove Server
remote 67.180.145.190
port 4444
dev tun
client
dev tun
proto udp
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
comp-lzo
verb 3
log openvpn.log
That’s it as always if you have any questions contact me a gryanfawcett At gmail dot com.
About Me
- G. Ryan Fawcett
- Bay Area / silicon valley, CA, United States
- DevOps coach giving TechOps Daily tips and insights I share with DevOps community. Helping us all sleep better at night. Tweets are my own X/Twitter Linkedin Profile
Subscribe To Linuxsysint
Posts
Comments