OpenVPN

From The Incoherency.Net Wiki
Jump to: navigation, search

Server Configuration

server.conf

local 96.52.184.47
port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key  # This file should be kept secret

dh dh1024.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

client-config-dir ccd
route 172.31.0.0 255.255.255.0

push "redirect-gateway"
push "dhcp-option DNS 216.234.161.25"
push "dhcp-option DNS 216.194.64.160"

keepalive 10 120

tls-auth ta.key 0 # This file is secret

cipher AES-128-CBC   # AES
comp-lzo

user nobody
group nobody

persist-key
persist-tun

status openvpn-status.log

log openvpn.log

verb 3

rc.conf

openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/server.conf"

natd_enable="YES"
natd_interface="fxp0"
natd_flags="-f /etc/natd.conf"
firewall_enable="YES"
gateway_enable="YES"

natd.conf

interface fxp0
use_sockets yes
same_ports yes

Client Config Directory (CCD)

Client specific settings can be specified by creating a ccd/CN file.

Client Configuration

Required Files

Under Windows, the following files will need to be placed in Program Files\OpenVPN\Config

ca.crt

This is the Root CA certificate that the client and server certificates are signed with. It is required for all clients.

ta.key

This is a preshared secret used for the tls-auth directive. It is required for all clients.

client.crt & client.key

These two files are specific to each individual client. Everyone requiring access to the VPN will need these files generated for them.

These files are generated on 'inferno.incoherency.net, as root:

cd /root/easy-rsa
. ./vars
./build-key clientname

Where clientname is the unique name of the client you are building the certificate/key files for. When prompted for the CN (Common Name) attribute, use the same clientname parameter used on the command line.

incoherency.ovpn

This is the main configuration file. Under Unix systems you'd likely call this incoherency.conf or client.conf. The ovpn extension to this filename is Windows specific.

Change the cert and key directives in this file to match your certificate and key files respectively.

client
dev tun
proto udp
remote inferno.incoherency.net 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert yourcert.crt
key yourkey.key

ns-cert-type server
tls-auth ta.key 1
cipher AES-128-CBC
comp-lzo

Mac OS X

OS X has an OpenVPN GUI called [Tunnelblick]. The setup is basically the same as in Windows. The client configuration, certificates, etc go in ~/Library/openvpn.

Unfortunately Tunnelblick does not seem to support the redirect-gateway directive as of version 3.0b9.

Vista Quirks

  • The TAP driver included with OpenVPN in versions prior to 2.1 is not compatible with Vista. At the time of this writing OpenVPN 2.1_rc13 is available and appears to work as expected. Although I'm not sure the TAP driver is required for our purposes, given the TAP interface is used for bridged VPNs, not routed VPNs.
  • UAC prevents the OpenVPN client from adding or altering routes in the system. When launching the OpenVPN GUI under Vista, write click the shortcut and choose Run as Administrator to work around this.

Misc Notes

  • TUN interface for Layer 3 (IP) traffic. TAP interface for Layer 2 (Ethernet) traffic.