OpenVPN 2.1 – First impressions of the free VPN software

Michael PietroforteMVP By Michael Pietroforte - Wed, February 11, 2009 - 6 comments google+ icon

Michael Pietroforte is the founder and editor of 4sysops. He is a Microsoft Most Valuable Professional (MVP) with more than 30 years of experience in system administration.

OpenVPN-logoOpenVPN is a very powerful free VPN solution that is supported on Solaris, Linux, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Windows 2000/XP/Vista. I tried the Open Source SSL/TSL-based VPN software on Windows Vista x64 and SuSE Linux 10.1. I think the fact that OpenVPN is available for so many different platforms alone makes it an interesting alternative to commercial products. Can you believe that Cisco’s VPN solution, one of the most popular VPN products, doesn’t run on Windows Vista x64? They don’t even plan to release a 64-bit version. Well, OpenVPN does, albeit only the latest version 2.1, which is still a release candidate.

I tried to install the OpenVPN 2.0.9 client on Vista x64, but I wasn’t able to get it running. The installation procedure already complained that there are compatibility issues with the TAP driver (bridged tunneling). I also had a few issues on Vista x86, not with the driver, but with routing commands. Because I read that OpenVPN 2.1 has better Vista support, in particular for 64-bit, I didn’t bother with those problems for too long, but installed OpenVPN 2.1_rc15 instead.

OpenVPN-Run-administrator I recommend you turn off digital driver signing on Vista x64 before you install OpenVPN. For this you have to press F8 when Vista boots up and then select the corresponding option. I also disabled UAC during installation, just to make sure that the setup always has administrator privileges. It appears that OpenVPN doesn’t like UAC. You can’t really blame OpenVPN for that because it has to change Vista’s routing table, for which it needs administrator privileges. To automatically start the OpenVPN client always with administrator rights, you can just configure its shortcut accordingly (see screenshot). If the UAC prompt whenever you launch OpenVPN gets on your nerves, I recommend using Symantec UAC.

On the server side, I installed OpenVPN on SuSE Linux 10.1. With the help of yast, it was easier than installing the client on Windows. To configure OpenVPN one has to create the file named net.conf under /etc/openvpn. I had a very simple setting for my test environment. This is what my configuration file looks like:

dev tun
ifconfig 10.1.0.1 10.1.0.2
secret net.static.key

The “dev tun” command tells OpenVPN to encapsulate IPv4 or IPv6; i.e., it will establish a routed VPN. OpenVPN also supports bridged VPNs, which means that you don’t have to bother with routing configurations, but Ethernet bridging costs performance.

“10.1.0.1” in the ifconfig command is the end point IP of my server, and “10.1.0.2” is the end point IP of my client. The secret command refers to the secret key that I created with “openvpn —genkey net.static.key” on the server. This key has to be copied to the config folder of OpenVPN on the Windows client. OpenVPn also supports Public Key Infrastructure (PKI) for authentication purposes, but that would have been overkill for my purpose.

The configuration file (net.ovpn in the config folder) on the Windows client is quite simple too:

remote host
dev tun
secret net.static.key
ifconfig 10.1.0.2 10.1.0.1
dhcp-option DNS 10.1.0.1
redirect-gateway def1

“host” has to be replaced with the public IP of the VPN server. You know “dev tun” and “secret” commands already. The ifconfig command has swapped IP addresses, because the local end point is now on the client and the remote endpoint is on the server.

I used the dhcp-option DNS command because I wanted my client to use the DNS server on my VPN server. This DNS server tells my Vista client to use the private IP of the server instead of the public IP for certain Internet domains. This makes sure that this communication is encrypted, too. The redirect-gateway def1 command changes the routing table on the client to redirect all Internet traffic through the VPN server.

OpenVPN has no NATing capabilities, which means that you have to use the server OS for this. On my Linux box I used iptables:

iptables -A FORWARD -i tun0 -o eth0 -s 10.1.0.0/24 -m state —state NEW -j ACCEPT
iptables -A FORWARD -m state —state ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE

You can also easily configure Windows Server to act as a NAT router.

OpenVPN-systray Once everything is configured you can start the OpenVPN gui and double click on its systray icon to establish the connection. I have been using OpenVPN 2.1 RC for several days and didn’t experience any problems.

My article is not a review of OpenVPN, which is a very complex VPN solution. I just wanted to give you a first idea about this great VPN solution. I have read before about OpenVPN, but I must admit that when I first tried it I was quite surprised at how powerful it is. You should have a look at its command documentation to get an idea about its capabilities. I also found the Howtos quite useful.

-1+1 - Rate this post
Loading ... Loading ...
Your question wasn't answered? Ask in the new 4sysops forum!

6 Comments- Leave a Reply

  1. jamie says:

    Anyone have any experience in getting this working with Windows7?

  2. pit314 says:

    Hi, great website!

    OpenVpn client work fine on Vista and Seven.

    Just add these lines in the config file to fix routing problems:

    route-method exe
    route-delay 2

  3. KKM says:

    Unable to install on windows 7 64 bit. TAP driver error … any help ?

  4. Which version did you install? Only 2.1 works. You also have to disable digital driver signing before you install OpenVPN (press F8 when the computer boots up).

  5. Al says:

    I’ve found OpenVPN performance to be sluggish even on decent hardware. Does anyone have any optimization tips?

===Leave a Comment===

Login

Lost your password?