Topics include: programming, Apple, Unix, gadgets, large-scale web sites and other nerdy stuff.

How to run OpenVPN server on Leopard

2008-12-23 15:15:47

I've been running OpenVPN servers for a long time on many Linux servers, but I've never tried running a server on Mac OS X. Usually I have an old Linux machine just sort of lying around on a network, and I use that as the VPN server.

On a new network I set up, I have only Macs available. So I either had to set up a Linux OS on an old computer, or try OpenVPN on Mac. I thought I'd give Mac a try first. It works.

Notes along the way:

  1. Use MacPorts to get openvpn installed on the server machine.

  2. Enable IP forwarding on Leopard:

sysctl -w net.inet.ip.forwarding=1

  1. Put static routes on your router on the server network so that packets for the virtual network get routed back to the OpenVPN server, so they can be put into the right tunnel.

  2. Also on the router on the server side, forward TCP port 1194 to the OpenVPN server machine.

  3. Create the CA (build-ca), DH group (build-dh), Server cert (build-key-server) and various client certs (build-key) in the easy-rsa script hierarchy

  4. roll it all up in a server.conf:

port 1194 proto tcp dev tun ca /opt/local/openvpn/easy-rsa/keys/ca.crt cert /opt/local/openvpn/easy-rsa/keys/stony.crt key /opt/local/openvpn/easy-rsa/keys/stony.key dh /opt/local/openvpn/easy-rsa/keys/dh1024.pem server ifconfig-pool-persist ipp.txt push "route" push "dhcp-option DNS" keepalive 10 120 comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log log-append openvpn.log verb 3

  1. Start the server

cd /opt/local/openvpn; openvpn2 --config server.conf

  1. create a client.conf, and don't forget the ca.crt, client.crt and client.key

client dev tun proto tcp remote 1194 resolv-retry infinite nobind user nobody group nobody persist-key persist-tun ca stony-ca.crt cert client1.crt key client1.key comp-lzo verb 3

  1. Don't forget the TUN/TAP drivers on both client and server machines!