So here is the dilemma. I use a Mac and all of our office is Windows based.
I have a VPN connection set up between home and the office via the routers and the Watchguard Firebox firewall.
All is well until I go away from home. There is no client for the Watchguard Firebox firewall that will work on the Mac.
What I need is a way to connect to my home network when away from home with my Mac which will then in turn allow me to connect to my office.
There are probably many solutions out there so I am not saying this is the right or only solution out there for my dilemma
Setting up the server
My Server is running Ubuntu 9.04 in desktop mode with a fixed IP address of 192.168.1.9.
Install openvpn
sudo apt-get install openvpn
Comment all lines in /etc/default/openvpn with # and add:
AUTOSTART="openvpn"
This line tells OpenVPN which configuration file it should use by default when starting. Configuration files are in /etc/openvpn and use the .conf extension so the setting above points to/etc/openvpn/openvpn.conf, a file that still does not exist and we will create later
The following will start, stop or restart OpenVPN as usual, let’s see:
Start OpenVPN:
/etc/init.d/openvpn start
Stop OpenVPN:
/etc/init.d/openvpn stop
Restart OpenVPN:
/etc/init.d/openvpn restart
Every time you change settings in /etc/openvpn/openvpn.conf you will need to restart OpenVPN.
Keys and certificates
Now we need to create security certificates and keys. We’ll do all this in the server as root:
sudo su
And add your password to get root access
cd /etc/openvpn/
Copy the directory easy-rsa to /etc/openvpn:
cp -r /usr/share/doc/openvpn/examples/easy-rsa/ .
Remember we’re still inside the /etc/openvpn directory. Now let’s edit the file vars with our favorite editor (replace vi with yours):
nano easy-rsa/2.0/vars
modify the below
export KEY_COUNTRY="UK"
export KEY_PROVINCE="SU"
export KEY_CITY="Birmingham"
export KEY_ORG="home"
export KEY_EMAIL="jon@example.com"
Save and quit.
Now run:
cd easy-rsa/2.0/
. ./vars
Important: that’s a period, a space and another period followed by /vars. This is a common confusion in many setups.
Now:
./clean-all
The next command creates your certificate authority (CA) using the parameters you just set, you should just add Common Name, I used OpenVPN-CA. For this step you’ll need OpenSSL; if you don’t have it in your server install it by running:
sudo apt-get install openssl
Ok, now we’re ready:
./build-ca
Now let’s create the keys, first the server:
./build-key-server server
This is important. When build-key-server asks for Common Name write server, the same parameter you provided to the command.
Also you’ll need to answer yes to these two questions: Sign the certificate? [y/n] and 1 out of 1 certificate requests certified, commit? [y/n].
Now the key for the client:
./build-key client1
Use client1 as Common Name, the same parameter you used above for build-key.
You can repeat this step if you want to have more clients, just replace the parameter with client2,client3, etc.
Now let’s create Diffie Hellman parameters:
./build-dh
There you are! Now you should have a new directory with your certificates and keys:/etc/openvpn/easy-rsa/keys. To configure your first client copy these files from servo to cliento:
ca.crt
client1.crt
client1.key
Ideally you should use a secure channel, I use scp with RSA authentication
Openvpn.conf for the server:
dev tun
proto tcp
port 1194
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
user nobody
group nogroup
server 10.8.77.0 255.255.255.0
persist-key
persist-tun
#status openvpn-status.log
#verb 3
client-to-client
Place this file in /etc/openvpn/
Now start openvpn by
/etc/init.d/openvpn start
Setting up the router
Just make sure that the port and protocol 1194 TCp in my case are forwarded to the server 192.168.1.9
Setting up tunnelblick
Download the dmg from http://code.google.com/p/tunnelblick/
Install as usual by dragging the icon to the applications folder.
When you run it for the first time it will add a black tunnel icon near your spotlight icon.
You will also need to enter your admin password as the client requires root access.
When clicking the tunnel you are presented with options. The defaults are fine.
Click on the details and you will see the OpenVPN log output.
Click the edit configuration
Openvpn.conf client content:
dev tun
client
proto tcp
remote 81.174.97.97 1194
resolv-retry infinite
nobind
user nobody
group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
# Set log file verbosity.
verb 3
Paste your client openvpn.conf copy in to the text editor and save.
Don’t worry it will overwrite despite the prompt.
It saves the file in user/Library/Application Support/Tunnelblick/Configurations
I placed the certificate and keys for the client in here as well. You can place them anywhere but you would need to change the client openvpn.conf accordingly.
Now press connect and you should see the verbose output suggesting a good connection
Test
If you ifconfig on the mac you should get an extra entry for tun0
Now ping 10.8.77.1 and you should get a reply from the server.
I can now vnc to this server and then vnc to from the server to any office computer on the subnet 192.168.40.0
Other things to consider could be username password authentication as well as the certificates in case the Mac is stolen.
I would now like to route traffic so that I can get to the 192.168.40.0 subnet without having to vnc to the openvpn server.