OpenVPN Server on Mac

Spurred by a unhelpful digg post on setting up an OpenVPN server on Windows, I decided to finally get OpenVPN working on my Mac, which is currently running as my web server / other servers. I eventually found some help, but it took awhile, so why not gather it all up here.

What is OpenVPN?

A VPN or Virtual Private Network essentially connects a remote machine to a network, over the Internet, securely. A common use for VPN is to let a user at home or on the road make an encrypted connection to his office’s network as if he/she were actually in the office. In this type of setup, you would be able to connect to file servers, mail servers, or printers remotely, without having to worry about someone on the Internet watching what you do and snagging private information.

I wanted to use it so I could use VNC to connect to some of my home machines on my laptop at school.

OpenVPN utilizes SSL, the same technology used to encrypt websites to make its connection secure. Its also OpenSource and free, which are two good reasons for using it. It is also fast and very powerful, once you get things set up.

One alternative to OpenVPN commonly cited is Hamachi. It seems easier to set up and can run on the major 3 OS platforms. The main reason I shyed away from Hamachi, as many people do, is because it is closed source, and owned by a company. That means you just really can’t be sure about what its doing or how its doing it. Sometimes this is acceptable, like when using Skype, but sometimes, you’d just rather have the open software. Plus, OpenVPN is a much cooler thing to have running on your system anyways.

Configuring The Server

This was where there isn’t a lot of Mac specific info. Most tutorials deal with using Linux or Windows. Thats fine, probably what most people have as servers. But I wanted it on a Mac! The ever useful Darwinports has a port of OpenVPN, labelled “openvpn2”. They have the regular openvpn port, but it is an older (1.6) version, and that won’t due.
Install it by using the command

sudo port install openvpn2

This will get you most of the packages you need to get things going.

Now we turn to the OpenVPN site for configuration instructions. You can follow the Linux instructions pretty closely, and things will work out well with a few exceptions:

• The easy-rsa folder can be found at /opt/local/share/doc/openvpn2/easy-rsa . I copied the openvpn2 folder to someplace easier to find like /opt/local/etc/openvpn . You could make it easier and put it in /etc/openvpn too, but sometimes I forget to check there…
• The sample server and client configuration files can be found at /opt/local/share/doc/openvpn2/sample-config-files. I also grabbed the server.conf file and copied it to my simplier openvpn folder. Making these copies will also ensure your changes won’t be overwritten when OpenVPN is updated.
• according to this hint from macosxhints.com,tunnelblick might be needed to get OpenVPN working correctly. Download tunnelblick here,the current version I got was 3.0 RC3. We will be using it as our client as well, so more info in that section below

So with the help of the OpenVPN manual and the nice tip about tunnelblick, we should have a working version of OpenVPN on our server.

Configuring the Client

Like I mentioned, we need tunnelblick to connect to our server. Tunnelblick is a very elegant and easy to manage GUI front end to OpenVPN. The 3.0 RC3 version comes with everything bundled together, and all you need to do is drop it into your Applications folder.
Run it and you should see a little tunnel in the upper-right hand corner of your screen.
It should also add the folder ~/Library/OpenVPN. In this folder I copied the ca.crt, client.crt, client.csr, and client.key which were created on the server during the PKI section of the tutorial. I used fugu to move stuff over from the server.
Now you can click on the tunnelblick tunnel icon and then click on “details” to get to the meat of the program. Select “edit configuration” to modify the important stuff. I basically copied OpenVPN’s sample client configuration, and pasted it into here. Modifying the destination IP address and the location of the crt and key files. I had to use the entire path file to get these to work correctly for some reason, namely:
/Users/username/Library/openvpn/ca.crt . I don’t know why I couldn’t use realitive file names, but it wasn’t having it.
Also, I started by using the local IP address of my server to make sure things were working correctly before trying to connect to it from the Internet.
When that was all finished, I selected “Connect” and you should be connected to your own VPN server!

If you have file sharing turned on, you can check your connection by hitting apple + k to go to the connection dialog and connecting to afp://10.8.0.1 (if you followed the tutorial exactly, else use the IP address you set it up for). This should connect to your server.

The next step is to get more machines from your intranet on the vpn. But that is for another post, as I haven’t quite figured it out yet…