So here is the dilemma. I use a Mac and all of our office is Windows based.
I have a VPN connection set up between home and the office via the routers and the Watchguard Firebox firewall.
All is well until I go away from home. There is no client for the Watchguard Firebox firewall that will work on the Mac.
What I need is a way to connect to my home network when away from home with my Mac which will then in turn allow me to connect to my office.
There are probably many solutions out there so I am not saying this is the right or only solution out there for my dilemma
Setting up the server
My Server is running Ubuntu 9.04 in desktop mode with a fixed IP address of 192.168.1.9.
sudo apt-get install openvpn
Comment all lines in /etc/default/openvpn with # and add:
This line tells OpenVPN which configuration file it should use by default when starting. Configuration files are in /etc/openvpn and use the .conf extension so the setting above points to/etc/openvpn/openvpn.conf, a file that still does not exist and we will create later
The following will start, stop or restart OpenVPN as usual, let’s see:
Every time you change settings in /etc/openvpn/openvpn.conf you will need to restart OpenVPN.
Keys and certificates
Now we need to create security certificates and keys. We’ll do all this in the server as root:
And add your password to get root access
Copy the directory easy-rsa to /etc/openvpn:
cp -r /usr/share/doc/openvpn/examples/easy-rsa/ .
Remember we’re still inside the /etc/openvpn directory. Now let’s edit the file vars with our favorite editor (replace vi with yours):
modify the below
Save and quit.
Important: that’s a period, a space and another period followed by /vars. This is a common confusion in many setups.
The next command creates your certificate authority (CA) using the parameters you just set, you should just add Common Name, I used OpenVPN-CA. For this step you’ll need OpenSSL; if you don’t have it in your server install it by running:
sudo apt-get install openssl
Ok, now we’re ready:
Now let’s create the keys, first the server:
This is important. When build-key-server asks for Common Name write server, the same parameter you provided to the command.
Also you’ll need to answer yes to these two questions: Sign the certificate? [y/n] and 1 out of 1 certificate requests certified, commit? [y/n].
Now the key for the client:
Use client1 as Common Name, the same parameter you used above for build-key.
You can repeat this step if you want to have more clients, just replace the parameter with client2,client3, etc.
Now let’s create Diffie Hellman parameters:
There you are! Now you should have a new directory with your certificates and keys:/etc/openvpn/easy-rsa/keys. To configure your first client copy these files from servo to cliento:
Ideally you should use a secure channel, I use scp with RSA authentication
Openvpn.conf for the server:
server 10.8.77.0 255.255.255.0
Place this file in /etc/openvpn/
Now start openvpn by
Setting up the router
Just make sure that the port and protocol 1194 TCp in my case are forwarded to the server 192.168.1.9
Setting up tunnelblick
Download the dmg from http://code.google.com/p/tunnelblick/
Install as usual by dragging the icon to the applications folder.
When you run it for the first time it will add a black tunnel icon near your spotlight icon.
You will also need to enter your admin password as the client requires root access.
When clicking the tunnel you are presented with options. The defaults are fine.
Click on the details and you will see the OpenVPN log output.
Click the edit configuration
Openvpn.conf client content:
remote 126.96.36.199 1194
# Try to preserve some state across restarts.
# Set log file verbosity.
Paste your client openvpn.conf copy in to the text editor and save.
Don’t worry it will overwrite despite the prompt.
It saves the file in user/Library/Application Support/Tunnelblick/Configurations
I placed the certificate and keys for the client in here as well. You can place them anywhere but you would need to change the client openvpn.conf accordingly.
Now press connect and you should see the verbose output suggesting a good connection
If you ifconfig on the mac you should get an extra entry for tun0
Now ping 10.8.77.1 and you should get a reply from the server.
I can now vnc to this server and then vnc to from the server to any office computer on the subnet 192.168.40.0
Other things to consider could be username password authentication as well as the certificates in case the Mac is stolen.
I would now like to route traffic so that I can get to the 192.168.40.0 subnet without having to vnc to the openvpn server.