In association with heise online

Building tunnels

The best way to install OpenVPN under Windows is to use the package with the OpenVPN GUI. This makes it possible to connect and disconnect to the VPN tunnel like a normal network connection with the tray icon context menu. Unfortunately, it does not offer any help in the actual configuration; you have to edit the text files manually to change the settings. The Tunnelblick package is the comparable package for Mac OS X. Our tests with the Linux GUIs were a bit frustrating. The best solution is simply to create a desktop shortcut that opens OpenVPN in its own terminal window.

image 1 [400 x 205 Pixel @ 18,3 KB]
Zoom When it comes to user friendliness, it will be tough for spoiled Mac users to warm up to the rudimentary Tunnelblick GUI.

OpenVPN has a number of settings that can you can adjust. The good thing is that you don't usually need most of them. If you just want to connect two computers over a VPN you can simply start the OpenVPN server with the default configuration file, server.conf. The only adjustment that may be necessary is to provide the name and path to the key and certificate files that OpenVPN automatically looks for in the current directory. Under Windows we recommend changing the file extension to .ovpn so that the file is opened using the correct program. On Debian systems, the group directive should be changed from nobodyto nogroup. Under Unix, OpenVPN reduces its rights to those of this unprivileged group and the user nobody. The command

openvpn server.conf

acknowledges OpenVPN with a series of status messages that culminate with "initialization sequence completed". On the other end you have to enter either the IP address or the server name under "remote" in the client.conf sample configuration file. After starting with:

openvpn client.conf

the program prompts for the password and secret key and should state, "initialization sequence completed" again, once the key is entered. Once this is complete, the VPN connection is established and the server using the sample configuration should be reachable at ping 10.8.0.1. In the same way, other services like web servers or file access rights should be reachable on the other end, as long as this is not blocked by a restrictive configuration or a firewall.

The sample server issues IP addresses dynamically from the 10.8.0.0/24 range; the first one issued is usually 10.8.0.6. You can see the address in the status message. On the server it would be "MULTI: Learn: 10.8.0.6," on a Linux client /sbin/ifconfig tun0; with Windows clients the GUI displays the IP address of the client. OpenVPN notes these assignments so you get the same address the next time you log onto the network. Alternatively, the instructions in the file and in the HOWTO describe how to assign permanent IP addresses to clients.

image 2 [400 x 300 Pixel @ 23,3 KB]
Zoom With the OpenVPN GUI for Windows VPN tunnels can be started and disconnected like normal internet connections.

If you want an OpenVPN server with a dynamic internet address, you enter a DynDNS name, like the ones you can find at DynDNS.org as a remote. Many routers can register themselves there every time a connection is established; if yours can't you can use a tool like DeeEnEs instead. If the server is behind a router, you have to point the router's UDP port 1194 to the computer that is acting as the server.

If there is a private network "behind" the OpenVPN server that should be reachable by the client, the server can assign it an appropriate network route. To do that, you have to adapt the following line in server.conf

;push "route 192.168.10.0 255.255.255.0" 

and delete the initial semicolon. This will only work without any additional tweaking under two conditions: first, the same address range may not be used on the client side, and second, you have to ensure that the packets from the LAN find the correct route to the VPN client. That happens automatically when the OpenVPN server is also the standard gateway for the computers on the server LAN. If this is not the case, the gateway either has to have an acceptable route that directs packets for 10.8.0.0/24 to the OpenVPN server or this route has to be entered on all of the clients.

OpenVPN has many other additional options and functions that you do not need to bother with unless you need them. For instance, you can have Windows transfer DNS and WINS server addresses using the DHCP options or you can have the clients route all of outgoing packets through the VPN tunnel. The individual options are explained well in the sample configuration and in the documentation. The following is a more detailed description of two concrete example configurations and their special requirements.

Print Version | Permalink: http://h-online.com/-747368
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit