Simple OpenVPN Server and Client Setup for OS X 10.5 Leopard

This guide describes how to connect two remote Macs via OpenVPN using a static key configuration.

Standard disclaimer applies, as always: You are 100% responsible for your own actions. Using this guide, visiting a link, downloading a program, in short, living, is done entirely at your own risk (and joy).

I. Diagram of Example Network

OpenVPN network diagram

IP addresses and domains appearing in italics will likely differ on your networks. The only two addresses you need to know are Home's (for setting up port forwarding) and the public address for Home's router (which you will specify in office.conf).

II. Initial Steps on Both Home & Office

Install Xcode if you haven't already
Install DarwinPorts if you haven't already.
Update DarwinPorts: sudo port -d selfupdate
(use the full path to port if you receive "command not found" in this or the next step: sudo /opt/local/bin/port)
Install openvpn2: sudo port install openvpn2
Install tun/tap driver for Leopard

III. Quick, Unencrypted Test

Now we'll make a quick, unencrypted connection to test our setup:

Office$ sudo openvpn2 --remote dyndns.org --dev tun0 --ifconfig 10.0.0.1 10.0.0.2

Home$ sudo openvpn2 --dev tun0 --ifconfig 10.0.0.2 10.0.0.1

Replace dyndns.org with Home's public hostname or IP address. Also, if you receive a "command not found" error, use the complete path to openvpn2 instead: sudo /opt/local/sbin/openvpn2 .

Try pinging Office from Home and vice versa:

Home$ ping 10.0.0.1

Office$ ping 10.0.0.2

When finished testing, CTRL C to stop the tunnel.

IV. Generate and Copy Static Key

From either computer, generate a static key:

$ openvpn2 --genkey --secret static.key
$ sudo mkdir /etc/openvpn2
$ sudo mv static.key /etc/openvpn2/

Copy /etc/openvpn2/static.key to the other computer via a secure channel (as anyone with this file can access your VPN) and put it in the same directory, i.e., /etc/openvpn2 .

V. Encrypted Tunnel Test

Office$ sudo openvpn2 --remote dyndns.org --dev tun0 --ifconfig 10.0.0.1 10.0.0.2 --secret /etc/openvpn2/static.key --comp-lzo --keepalive 10 60 --float

Home$ sudo openvpn2 --dev tun0 --ifconfig 10.0.0.2 10.0.0.1 --secret /etc/openvpn2/static.key --comp-lzo --keepalive 10 60 --float

As before, replace dyndns.org with Home's public address. The tunnel should be up and running. You can test with ping again, or connect to services (like File Sharing) on the remote Mac.

If you only need the occasional tunnel, feel free to stop here - just leave the Terminal windows open and the tunnel will persist until it is terminated (by rebooting, quitting Terminal, etc). If you'd like to create config files and/or make your tunnel survive rebooting, read on.

VI. Create Config Files

On Office, save the following as /etc/openvpn2/office.conf:

   dev tun
   remote dyndns.org
   ifconfig 10.0.0.1 10.0.0.2
   secret /etc/openvpn2/static.key
   comp-lzo
   keepalive 10 60
   float

Replace dyndns.org with the public hostname or IP address of Home.

On Home, create /etc/openvpn2/home.conf as follows:

   dev tun
   ifconfig 10.0.0.2 10.0.0.1
   secret /etc/openvpn2/static.key
   comp-lzo
   keepalive 10 60
   float

VII. Test Config Files:

Office$ sudo openvpn2 /etc/openvpn2/office.conf

Home$ sudo openvpn2 /etc/openvpn2/home.conf

Your tunnel should now be connected. Try pinging, connecting to services, etc to verify. As before, the tunnel will persist until it is quit, Terminal is terminated, etc. The next section deals with having OpenVPN automatically launch on system startup.

VIII. Launching OpenVPN on Startup

Create a plist file like the one below and save it as /Library/LaunchDaemons/openvpn2.plist on Home and Office. For Office, make sure to replace home.conf with office.conf in the ProgramArguments section below:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
<plist version="1.0">

<dict>
        <key>Label</key>
        <string>org.openvpn2</string>
        <key>OnDemand</key>
        <false/>
        <key>Program</key>
        <string>/opt/local/sbin/openvpn2</string>

        <key>ProgramArguments</key>
        <array>
                <string>openvpn2</string>
                <string>--config</string>
                <string>home.conf</string>
        </array>
        <key>RunAtLoad</key>

<true/>
        <key>TimeOut</key>
        <integer>90</integer>
        <key>WorkingDirectory</key>
        <string>/etc/openvpn2</string>
</dict>
</plist>

Set permissions for openvpn2.plist on both Home and Office:

$ sudo chown root /Library/LaunchDaemons/openvpn2.plist
$ sudo chgrp wheel /Library/LaunchDaemons/openvpn2.plist

Add openvpn2.plist as a startup item on both Home and Office:

$ sudo launchctl load -w /Library/LaunchDaemons/openvpn2.plist

Restart both computers - your VPN should be up and running permanently!

IX. Notes

The diagram was inspired by a graphic on page 82 of OpenVPN: Building and Integrating Virtual Private Networks.
The plist file was lifted largely verbatim from LaunchDaemons and Mac OS X - OpenVPN as an example.
You may want to change the default port of UDP 1194 to something less obvious. You can do this on the command line via --port number, or in your config file with port number.
Though the diagram shows the LANs on different subnets (192.168.15.0/24 and 192.168.1.0/24) it wouldn't matter in this example even if the subnets were identical, since the VPN uses its own subnet (10.0.0.0/8). However, if you setup OpenVPN in bridging mode, the LAN subnets will need to be discreet, since clients receive IP addresses from the server's LAN range. More info:
- "When a client connects via bridging to a remote network, it is assigned an IP address that is part of the remote physical ethernet subnet and is then able to interact with other machines on the remote subnet as if it were connected locally." ¹
- "For example, suppose you use the popular 192.168.0.0/24 subnet as your private LAN subnet. Now you are trying to connect to the VPN from an internet cafe which is using the same subnet for its WiFi LAN. You will have a routing conflict because your machine won't know if 192.168.0.1 refers to the local WiFi gateway or to the same address on the VPN ... The best solution is to avoid using 10.0.0.0/24 or 192.168.0.0/24 as private LAN network addresses. Instead, use something that has a lower probability of being used in a WiFi cafe, airport, or hotel where you might expect to connect from remotely. The best candidates are subnets in the middle of the vast 10.0.0.0/8 netblock (for example 10.66.77.0/24)." ²
More information on OpenVPN's command line arguments and config file options can be found in the fine manual.

created: 2008.03.02