local 220.127.116.11 port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-config-dir ccd route 172.31.0.0 255.255.255.0 push "redirect-gateway" push "dhcp-option DNS 18.104.22.168" push "dhcp-option DNS 22.214.171.124" keepalive 10 120 tls-auth ta.key 0 # This file is secret cipher AES-128-CBC # AES comp-lzo user nobody group nobody persist-key persist-tun status openvpn-status.log log openvpn.log verb 3
openvpn_enable="YES" openvpn_configfile="/usr/local/etc/openvpn/server.conf" natd_enable="YES" natd_interface="fxp0" natd_flags="-f /etc/natd.conf" firewall_enable="YES" gateway_enable="YES"
interface fxp0 use_sockets yes same_ports yes
Client Config Directory (CCD)
Client specific settings can be specified by creating a ccd/CN file.
Under Windows, the following files will need to be placed in Program Files\OpenVPN\Config
This is the Root CA certificate that the client and server certificates are signed with. It is required for all clients.
This is a preshared secret used for the tls-auth directive. It is required for all clients.
client.crt & client.key
These two files are specific to each individual client. Everyone requiring access to the VPN will need these files generated for them.
These files are generated on 'inferno.incoherency.net, as root:
cd /root/easy-rsa . ./vars ./build-key clientname
Where clientname is the unique name of the client you are building the certificate/key files for. When prompted for the CN (Common Name) attribute, use the same clientname parameter used on the command line.
This is the main configuration file. Under Unix systems you'd likely call this incoherency.conf or client.conf. The ovpn extension to this filename is Windows specific.
Change the cert and key directives in this file to match your certificate and key files respectively.
client dev tun proto udp remote inferno.incoherency.net 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert yourcert.crt key yourkey.key ns-cert-type server tls-auth ta.key 1 cipher AES-128-CBC comp-lzo
Mac OS X
OS X has an OpenVPN GUI called [Tunnelblick]. The setup is basically the same as in Windows. The client configuration, certificates, etc go in ~/Library/openvpn.
Unfortunately Tunnelblick does not seem to support the redirect-gateway directive as of version 3.0b9.
- The TAP driver included with OpenVPN in versions prior to 2.1 is not compatible with Vista. At the time of this writing OpenVPN 2.1_rc13 is available and appears to work as expected. Although I'm not sure the TAP driver is required for our purposes, given the TAP interface is used for bridged VPNs, not routed VPNs.
- UAC prevents the OpenVPN client from adding or altering routes in the system. When launching the OpenVPN GUI under Vista, write click the shortcut and choose Run as Administrator to work around this.
- TUN interface for Layer 3 (IP) traffic. TAP interface for Layer 2 (Ethernet) traffic.