I have a VPN connection set up between home and the office via the routers and the Watchguard Firebox firewall.

All is well until I go away from home. There is no client for the Watchguard Firebox firewall that will work on the Mac.

What I need is a way to connect to my home network when away from home with my Mac which will then in turn allow me to connect to my office.

There are probably many solutions out there so I am not saying this is the right or only solution out there for my dilemma

Setting up the server

My Server is running Ubuntu 9.04 in desktop mode with a fixed IP address of 192.168.1.9.

Install openvpn

sudo apt-get install openvpn

Comment all lines in /etc/default/openvpn with # and add:

AUTOSTART="openvpn"

This line tells OpenVPN which configuration file it should use by default when starting. Configuration files are in /etc/openvpn and use the .conf extension so the setting above points to/etc/openvpn/openvpn.conf, a file that still does not exist and we will create later

The following will start, stop or restart OpenVPN as usual, let’s see:

Start OpenVPN:
/etc/init.d/openvpn start

Stop OpenVPN:
/etc/init.d/openvpn stop

Restart OpenVPN:
/etc/init.d/openvpn restart

Every time you change settings in /etc/openvpn/openvpn.conf you will need to restart OpenVPN.

Keys and certificates

Now we need to create security certificates and keys. We’ll do all this in the server as root:

sudo su

And add your password to get root access

cd /etc/openvpn/

Copy the directory easy-rsa to /etc/openvpn:

cp -r /usr/share/doc/openvpn/examples/easy-rsa/ .

Remember we’re still inside the /etc/openvpn directory. Now let’s edit the file vars with our favorite editor (replace vi with yours):

nano easy-rsa/2.0/vars

modify the below

export KEY_COUNTRY="UK"
export KEY_PROVINCE="SU"
export KEY_CITY="Birmingham"
export KEY_ORG="home"
export KEY_EMAIL="jon@example.com"

Save and quit.

Now run:

cd easy-rsa/2.0/
. ./vars

Important: that’s a period, a space and another period followed by /vars. This is a common confusion in many setups.

Now:

./clean-all

The next command creates your certificate authority (CA) using the parameters you just set, you should just add Common Name, I used OpenVPN-CA. For this step you’ll need OpenSSL; if you don’t have it in your server install it by running:

sudo apt-get install openssl

Ok, now we’re ready:

./build-ca

Now let’s create the keys, first the server:

./build-key-server server

This is important. When build-key-server asks for Common Name write server, the same parameter you provided to the command.

Also you’ll need to answer yes to these two questions: Sign the certificate? [y/n] and 1 out of 1 certificate requests certified, commit? [y/n].

Now the key for the client:

./build-key client1

Use client1 as Common Name, the same parameter you used above for build-key.
You can repeat this step if you want to have more clients, just replace the parameter with client2,client3, etc.
Now let’s create Diffie Hellman parameters:

./build-dh

There you are! Now you should have a new directory with your certificates and keys:/etc/openvpn/easy-rsa/keys. To configure your first client copy these files from servo to cliento:

ca.crt
client1.crt
client1.key

Ideally you should use a secure channel, I use scp with RSA authentication

Openvpn.conf for the server:

dev tun
proto tcp
port 1194
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
user nobody
group nogroup
server 10.8.77.0 255.255.255.0
persist-key
persist-tun
#status openvpn-status.log
#verb 3
client-to-client

Place this file in /etc/openvpn/

Now start openvpn by

/etc/init.d/openvpn start

Setting up the router

Just make sure that the port and protocol 1194 TCp in my case are forwarded to the server 192.168.1.9

Setting up tunnelblick

Download the dmg from http://code.google.com/p/tunnelblick/

Install as usual by dragging the icon to the applications folder.

When you run it for the first time it will add a black tunnel icon near your spotlight icon.

You will also need to enter your admin password as the client requires root access.

When clicking the tunnel you are presented with options. The defaults are fine.

Click on the details and you will see the OpenVPN log output.

Click the edit configuration

Openvpn.conf client content:

dev tun
client
proto tcp
remote 81.174.97.97 1194
resolv-retry infinite
nobind
user nobody
group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
# Set log file verbosity.
verb 3

Paste your client openvpn.conf copy in to the text editor and save.

Don’t worry it will overwrite despite the prompt.

It saves the file in user/Library/Application Support/Tunnelblick/Configurations

I placed the certificate and keys for the client in here as well. You can place them anywhere but you would need to change the client openvpn.conf accordingly.

Now press connect and you should see the verbose output suggesting a good connection

Test

If you ifconfig on the mac you should get an extra entry for tun0

Now ping 10.8.77.1 and you should get a reply from the server.

I can now vnc to this server and then vnc to from the server to any office computer on the subnet 192.168.40.0

Other things to consider could be username password authentication as well as the certificates in case the Mac is stolen.

I would now like to route traffic so that I can get to the 192.168.40.0 subnet without having to vnc to the openvpn server.