created: March 2, 2008
Simple OpenVPN Server and Client Setup for OS X 10.5 Leopard
This guide describes how to connect two remote Macs via OpenVPN using a static key configuration.
Standard disclaimer applies, as always: You are 100% responsible for your own actions. Using this guide, visiting a link, downloading a program, in short, living, is done entirely at your own risk (and joy).
I. Diagram of Example Network
IP addresses and domains appearing in italics will likely differ on your networks. The only two addresses you need to know are Home's (for setting up port forwarding) and the public address for Home's router (which you will specify in office.conf).
II. Initial Steps on Both Home & Office
- Install Xcode if you haven't already
- Install DarwinPorts if you haven't already.
- Update DarwinPorts: sudo port -d selfupdate
(use the full path to port if you receive "command not found" in this or the next step: sudo /opt/local/bin/port)
- Install openvpn2: sudo port install openvpn2
- Install tun/tap driver for Leopard
III. Quick, Unencrypted Test
Now we'll make a quick, unencrypted connection to test our setup:
Office$ sudo openvpn2 --remote dyndns.org --dev tun0 --ifconfig 10.0.0.1 10.0.0.2
Home$ sudo openvpn2 --dev tun0 --ifconfig 10.0.0.2 10.0.0.1
Replace dyndns.org with Home's public hostname or IP address. Also, if you receive a "command not found" error, use the complete path to openvpn2 instead: sudo /opt/local/sbin/openvpn2 .
Try pinging Office from Home and vice versa:
Home$ ping 10.0.0.1
Office$ ping 10.0.0.2
When finished testing, CTRL C to stop the tunnel.
IV. Generate and Copy Static Key
From either computer, generate a static key:
$ openvpn2 --genkey --secret static.key
$ sudo mkdir /etc/openvpn2
$ sudo mv static.key /etc/openvpn2/
Copy /etc/openvpn2/static.key to the other computer via a secure channel (as anyone with this file can access your VPN) and put it in the same directory, i.e., /etc/openvpn2 .
V. Encrypted Tunnel Test
As before, replace dyndns.org with Home's public address. The tunnel should be up and running. You can test with ping again, or connect to services (like File Sharing) on the remote Mac.
If you only need the occasional tunnel, feel free to stop here - just leave the Terminal windows open and the tunnel will persist until it is terminated (by rebooting, quitting Terminal, etc). If you'd like to create config files and/or make your tunnel survive rebooting, read on.
VI. Create Config Files
On Office, save the following as /etc/openvpn2/office.conf :
ifconfig 10.0.0.1 10.0.0.2
keepalive 10 60
Replace dyndns.org with the public hostname or IP address of Home.
On Home, create /etc/openvpn2/home.conf as follows:
ifconfig 10.0.0.2 10.0.0.1
keepalive 10 60
VII. Test Config Files:
Office$ sudo openvpn2 /etc/openvpn2/office.conf
Home$ sudo openvpn2 /etc/openvpn2/home.conf
Your tunnel should now be connected. Try pinging, connecting to services, etc to verify. As before, the tunnel will persist until it is quit, Terminal is terminated, etc. The next section deals with having OpenVPN automatically launch on system startup.
VIII. Launching OpenVPN on Startup
- Create a plist file like the one below and save it as /Library/LaunchDaemons/openvpn2.plist on Home and Office. For Office, make sure to replace home.conf with office.conf in the ProgramArguments section below:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
- Set permissions for openvpn2.plist on both Home and Office:
$ sudo chown root /Library/LaunchDaemons/openvpn2.plist
$ sudo chgrp wheel /Library/LaunchDaemons/openvpn2.plist
- Add openvpn2.plist as a startup item on both Home and Office:
$ sudo launchctl load -w /Library/LaunchDaemons/openvpn2.plist
- Restart both computers - your VPN should be up and running permanently!
- The diagram was inspired by a graphic on page 82 of OpenVPN: Building and Integrating Virtual Private Networks.
- The plist file was lifted largely verbatim from LaunchDaemons and Mac OS X - OpenVPN as an example.
- You may want to change the default port of UDP 1194 to something less obvious. You can do this on the command line via --port number, or in your config file with port number.
- Though the diagram shows the LANs on different subnets (192.168.15.0/24 and 192.168.1.0/24) it wouldn't matter in this example even if the subnets were identical, since the VPN uses its own subnet (10.0.0.0/8). However, if you setup OpenVPN in bridging mode, the LAN subnets will need to be discreet, since clients receive IP addresses from the server's LAN range. More info:
- "When a client connects via bridging to a remote network, it is assigned an IP address that is part of the remote physical ethernet subnet and is then able to interact with other machines on the remote subnet as if it were connected locally." 1
- "For example, suppose you use the popular 192.168.0.0/24 subnet as your private LAN subnet. Now you are trying to connect to the VPN from an internet cafe which is using the same subnet for its WiFi LAN. You will have a routing conflict because your machine won't know if 192.168.0.1 refers to the local WiFi gateway or to the same address on the VPN ... The best solution is to avoid using 10.0.0.0/24 or 192.168.0.0/24 as private LAN network addresses. Instead, use something that has a lower probability of being used in a WiFi cafe, airport, or hotel where you might expect to connect from remotely. The best candidates are subnets in the middle of the vast 10.0.0.0/8 netblock (for example 10.66.77.0/24)." 2
- More information on OpenVPN's command line arguments and config file options can be found in the fine manual.