OpenVPN is an awesome Open Source VPN package, the 2.0 versions are solid, reliable and secure. Edoceo has been providing VPN services and commerical support for this product since late 2003. It is fully functional and stable on Apple, Linux and Windows platforms, ready for the enterprise.
Here's a complete OpenVPN Server configuration file. It creates a VPN Gateway device that allows clients on the VPN to access machines on the internal side subnet. For an explanation of all the options please see the OpenVPN Howto Guide.
If this is the first OpenVPN server, or a fresh install the necessary Certificates must be created. The example below creates a certificate for the server, two clients as well as the tls-auth and diffe-hellman files.
cd /usr/share/openvpn/easy-rsa . vars ./build-ca ./build-key-server vpnhost ./build-key clientA ./build-key clientB ./build-dh
Copy the necessary files to the OpenVPN configuration directory.
cp keys/ca.crt /etc/openvpn/ cp keys/dh1024.pem /etc/openvpn/ cp keys/server.crt /etc/openvpn/ cp keys/server.key /etc/openvpn/
And make the tls-auth key.
openvpn --genkey --secret /etc/openvpn/ta.key
The local network devices 10.65.0.0/24 as the Internal or Office network and 10.65.76.0/24 as the VPN subnet.
# OpenVPN Server Gateway # Gives Access to the Internal Network # Base Options dev tun server 10.65.76.0 255.255.255.0 port 1194 # These two don't apply on Windows user nobody group nobody # Certificate/Security Options ca ca.crt cert server.crt key server.key dh dh2048.pem tls-auth ta.key 0 # Tunnel Options cipher AES-256-CBC comp-lzo # Client should match this keepalive 10 120 persist-key persist-tun # DHCP Options # DNS Suffix # push "dhcp-option DOMAIN office.example.com" # Sent a DNS Server to the Client (if client does pull) # push "dhcp-option DNS 10.65.76.1" # Sent a WINS Server to the Client (if client does pull) # push "dhcp-option WINS 10.65.76.1" # Route to Internal Network, add more as necessary # push "route 10.65.0.0 255.255.255.0" # Output/Status Settings ifconfig-pool-persist ippool.out status status.out verb 3
The options above should be changed to match the readers environment. Most notably the DHCP Push options should be set to reasonable values.
Use the above Server configuration but add the following. This will let other clients see each other.
The current OpenVPN 2.1 clients have worked flawlessly for us since RC3. We're currently running various flavours of the 2.1 RC installs, RC3 through RC13. Here is a client for the above configuration
ca ca.crt cd /path/to/vpn/config cert client.crt comp-lzo dev tun group nobody keepalive 15 120 key client.key ns-cert-type server persist-key persist-local-ip persist-tun pull remote vpn.example.com tls-auth ta.key 1 user nobody verb 3
Mac OS X clients can use the same configuration as Linux clients. The cd parameter will need to be modified.
Use the same configuration as above but comment out the cd, group and user parameters.
# cd /path/to/vpn/config # group nobody # user nobody