How to run OpenVPN server on Leopard
2008-12-23 15:15:47
I've been running OpenVPN servers for a long time on many Linux servers, but I've never tried running a server on Mac OS X. Usually I have an old Linux machine just sort of lying around on a network, and I use that as the VPN server.
On a new network I set up, I have only Macs available. So I either had to set up a Linux OS on an old computer, or try OpenVPN on Mac. I thought I'd give Mac a try first. It works.
Notes along the way:
Use MacPorts to get openvpn installed on the server machine.
Enable IP forwarding on Leopard:
sysctl -w net.inet.ip.forwarding=1
Put static routes on your router on the server network so that packets for the virtual network get routed back to the OpenVPN server, so they can be put into the right tunnel.
Also on the router on the server side, forward TCP port 1194 to the OpenVPN server machine.
Create the CA (build-ca), DH group (build-dh), Server cert (build-key-server) and various client certs (build-key) in the easy-rsa script hierarchy
roll it all up in a server.conf:
port 1194
proto tcp
dev tun
ca /opt/local/openvpn/easy-rsa/keys/ca.crt
cert /opt/local/openvpn/easy-rsa/keys/stony.crt
key /opt/local/openvpn/easy-rsa/keys/stony.key
dh /opt/local/openvpn/easy-rsa/keys/dh1024.pem
server 10.91.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.90.0.0 255.255.255.0"
push "dhcp-option DNS 10.90.0.1"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
- Start the server
cd /opt/local/openvpn; openvpn2 --config server.conf
- create a client.conf, and don't forget the ca.crt, client.crt and client.key
client
dev tun
proto tcp
remote office.yourcompanyname.com 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca stony-ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3
- Don't forget the TUN/TAP drivers on both client and server machines!
Reference: tinyapps.org