OpenVPN on OS X

If you have ever messed with any open source projects, you are missing out on some great experimentation. Sometimes these lead to frustration, but more often than not, they lead to great solutions for free, except for a bit of your time.

Today I spent a good portion of the day messing with such a project called OpenVPN. The purpose of this project is to allow VPN over a SSL UDP IP connection, instead of IPSec, L2TP, or PPTP. Therefore, it is not compatible with your run-of-the-mil VPN clients. You may think that you could use your browser, but alas the only way to participate as a client is by running the openvpn client to connect to the openvpn server.

It is still pretty secure, going over SSL and using a PSK system makes it fairly reliable. That makes it a pretty good (and cheap) option for home users, and perhaps small businesses. After a few hours today (not taking my full attention), I was able to get this up and running. I have tried to do this in the past without much luck, partly because the documentation is quiet large and detailed. In addition, I have been doing this on Darwin and there are a few things here and there that can cause a bit of frustration.

However, today I tackled the situation with diligence and managed to get up and running. Here is how.

First, I concentrated on the server. I downloaded the latest source package for the project. Secondly, you will notice that it may not be as easy as the typical configure, make, make install instructions. There are a few dependant programs that you will have to find darwin ports for. OpenVPN requires openssl, lzo, and pam. The best way to deal with all this is to do one of 2 things.

1. get each program’s source packages from the various project homes via the internet and compile/install them individually.
2. use pre-packed binaries for your OS. Linux users can take advantages of RPMs, and Darwin users can use Darwin Ports or an equivalent package manager such as Fink. Windows users can get a self contained .EXE, but who uses Windows?

Once all the required dependencies are handled, a simple configure, make, make install cycle should do the trick. Once everything is built, there are still many things to do, but all are outlined in the HOW TO. The basic steps remaining are to generate the certificate, public and private keys (for clients and servers), and this other file that is specified in the how to doc. This entire build/install process has to be duplicated on the client, however the keys and certificates only need to be generated once.

Once you have all the software on both client and server installed, and keys generated, the client keys need to be placed on the client. This needs to be done over a secure remote connection, or preferably via local network or some other rudimentary file transfer between two computers.

By modifying the client.conf file on the client, and server.conf file on the server, one has a complete setup that is ready to run. The directions for doing all this are outlined in the how to doc, but the configuration files themselves are well documented. To start the client or server pieces on each machine, it is only required to issue "openvpn ".

OS X gets a great benefit of having a nifty GUI to manage and connect to networks, or modify the configuration files in Tunnelblick. In fact, all I had to do on my client was to copy the generated files required on the client to the client, and run Tunnelblick to setup the client. Tunnelblick takes care of installing the TUN driver for OS X during its install. I think the only reason I had to get the actual source code on the server was to generate the keys and configuration files to start from. One of these days, I may wipe out my current openvpn setup and test this theory. Until then, I do not plan to modify any of it haha.

NOTE: Above I mentioned that I disabled LZO when I configured openvpn. Due to that fact, I disabled the LZO directive in the server.conf file which forced me to do the same in the client.conf.