tinyapps.org / docs / Simple OpenVPN Server and Client Setup for OS X 10.5 Leopard


This guide describes how to connect two remote Macs via OpenVPN using a static key configuration.

Standard disclaimer applies, as always: You are 100% responsible for your own actions. Using this guide, visiting a link, downloading a program, in short, living, is done entirely at your own risk (and joy).

I. Diagram of Example Network

OpenVPN network diagram

IP addresses and domains appearing in italics will likely differ on your networks. The only two addresses you need to know are Home's (for setting up port forwarding) and the public address for Home's router (which you will specify in office.conf).

II. Initial Steps on Both Home & Office

  1. Install Xcode if you haven't already
  2. Install DarwinPorts if you haven't already.
  3. Update DarwinPorts: sudo port -d selfupdate
    (use the full path to port if you receive "command not found" in this or the next step: sudo /opt/local/bin/port)
  4. Install openvpn2: sudo port install openvpn2
  5. Install tun/tap driver for Leopard

III. Quick, Unencrypted Test

Now we'll make a quick, unencrypted connection to test our setup:

   Office$ sudo openvpn2 --remote dyndns.org --dev tun0 --ifconfig 10.0.0.1 10.0.0.2

   Home$ sudo openvpn2 --dev tun0 --ifconfig 10.0.0.2 10.0.0.1

Replace dyndns.org with Home's public hostname or IP address. Also, if you receive a "command not found" error, use the complete path to openvpn2 instead: sudo /opt/local/sbin/openvpn2 .

Try pinging Office from Home and vice versa:

   Home$ ping 10.0.0.1

   Office$ ping 10.0.0.2

When finished testing, CTRL C to stop the tunnel.

IV. Generate and Copy Static Key

From either computer, generate a static key:

   $ openvpn2 --genkey --secret static.key
   $ sudo mkdir /etc/openvpn2
   $ sudo mv static.key /etc/openvpn2/

Copy /etc/openvpn2/static.key to the other computer via a secure channel (as anyone with this file can access your VPN) and put it in the same directory, i.e., /etc/openvpn2 .

V. Encrypted Tunnel Test



As before, replace dyndns.org with Home's public address. The tunnel should be up and running. You can test with ping again, or connect to services (like File Sharing) on the remote Mac.

If you only need the occasional tunnel, feel free to stop here - just leave the Terminal windows open and the tunnel will persist until it is terminated (by rebooting, quitting Terminal, etc). If you'd like to create config files and/or make your tunnel survive rebooting, read on.

VI. Create Config Files

On Office, save the following as /etc/openvpn2/office.conf :

   dev tun
   remote dyndns.org
   ifconfig 10.0.0.1 10.0.0.2
   secret /etc/openvpn2/static.key
   comp-lzo
   keepalive 10 60
   float

Replace dyndns.org with the public hostname or IP address of Home.

On Home, create /etc/openvpn2/home.conf as follows:

   dev tun
   ifconfig 10.0.0.2 10.0.0.1
   secret /etc/openvpn2/static.key
   comp-lzo
   keepalive 10 60
   float

VII. Test Config Files:

   Office$ sudo openvpn2 /etc/openvpn2/office.conf

   Home$ sudo openvpn2 /etc/openvpn2/home.conf

Your tunnel should now be connected. Try pinging, connecting to services, etc to verify. As before, the tunnel will persist until it is quit, Terminal is terminated, etc. The next section deals with having OpenVPN automatically launch on system startup.

VIII. Launching OpenVPN on Startup

  1. Create a plist file like the one below and save it as /Library/LaunchDaemons/openvpn2.plist on Home and Office. For Office, make sure to replace home.conf with office.conf in the ProgramArguments section below:
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
    "http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
    <plist version="1.0">
    
    <dict>
            <key>Label</key>
            <string>org.openvpn2</string>
            <key>OnDemand</key>
            <false/>
            <key>Program</key>
            <string>/opt/local/sbin/openvpn2</string>
    
            <key>ProgramArguments</key>
            <array>
                    <string>openvpn2</string>
                    <string>--config</string>
                    <string>home.conf</string>
            </array>
            <key>RunAtLoad</key>
    
    <true/>
            <key>TimeOut</key>
            <integer>90</integer>
            <key>WorkingDirectory</key>
            <string>/etc/openvpn2</string>
    </dict>
    </plist>
    
  2. Set permissions for openvpn2.plist on both Home and Office:
       $ sudo chown root /Library/LaunchDaemons/openvpn2.plist 
       $ sudo chgrp wheel /Library/LaunchDaemons/openvpn2.plist 
    
  3. Add openvpn2.plist as a startup item on both Home and Office:
       $ sudo launchctl load -w /Library/LaunchDaemons/openvpn2.plist
  4. Restart both computers - your VPN should be up and running permanently!

IX. Notes

  1. The diagram was inspired by a graphic on page 82 of OpenVPN: Building and Integrating Virtual Private Networks.
  2. The plist file was lifted largely verbatim from LaunchDaemons and Mac OS X - OpenVPN as an example.
  3. You may want to change the default port of UDP 1194 to something less obvious. You can do this on the command line via --port number, or in your config file with port number.
  4. Though the diagram shows the LANs on different subnets (192.168.15.0/24 and 192.168.1.0/24) it wouldn't matter in this example even if the subnets were identical, since the VPN uses its own subnet (10.0.0.0/8). However, if you setup OpenVPN in bridging mode, the LAN subnets will need to be discreet, since clients receive IP addresses from the server's LAN range. More info:
  5. More information on OpenVPN's command line arguments and config file options can be found in the fine manual.

last update: 2008.03.02