Latest posts by Michael Pietroforte (see all)
- Result of the 4sysops 2016 topic poll - Tue, Apr 5 2016
- New free eBooks for SysAdmins and DevOps – VMware NSX, Windows 10, SQL Server 2016 - Mon, Mar 14 2016
- Introducing the 4sysops IT pro network - Tue, Mar 1 2016
I tried to install the OpenVPN 2.0.9 client on Vista x64, but I wasn’t able to get it running. The installation procedure already complained that there are compatibility issues with the TAP driver (bridged tunneling). I also had a few issues on Vista x86, not with the driver, but with routing commands. Because I read that OpenVPN 2.1 has better Vista support, in particular for 64-bit, I didn’t bother with those problems for too long, but installed OpenVPN 2.1_rc15 instead.
I recommend you turn off digital driver signing on Vista x64 before you install OpenVPN. For this you have to press F8 when Vista boots up and then select the corresponding option. I also disabled UAC during installation, just to make sure that the setup always has administrator privileges. It appears that OpenVPN doesn’t like UAC. You can’t really blame OpenVPN for that because it has to change Vista’s routing table, for which it needs administrator privileges. To automatically start the OpenVPN client always with administrator rights, you can just configure its shortcut accordingly (see screenshot). If the UAC prompt whenever you launch OpenVPN gets on your nerves, I recommend using Symantec UAC.
On the server side, I installed OpenVPN on SuSE Linux 10.1. With the help of yast, it was easier than installing the client on Windows. To configure OpenVPN one has to create the file named net.conf under /etc/openvpn. I had a very simple setting for my test environment. This is what my configuration file looks like:
ifconfig 10.1.0.1 10.1.0.2
The “dev tun” command tells OpenVPN to encapsulate IPv4 or IPv6; i.e., it will establish a routed VPN. OpenVPN also supports bridged VPNs, which means that you don’t have to bother with routing configurations, but Ethernet bridging costs performance.
“10.1.0.1” in the ifconfig command is the end point IP of my server, and “10.1.0.2” is the end point IP of my client. The secret command refers to the secret key that I created with “openvpn —genkey net.static.key” on the server. This key has to be copied to the config folder of OpenVPN on the Windows client. OpenVPn also supports Public Key Infrastructure (PKI) for authentication purposes, but that would have been overkill for my purpose.
The configuration file (net.ovpn in the config folder) on the Windows client is quite simple too:
ifconfig 10.1.0.2 10.1.0.1
dhcp-option DNS 10.1.0.1
“host” has to be replaced with the public IP of the VPN server. You know “dev tun” and “secret” commands already. The ifconfig command has swapped IP addresses, because the local end point is now on the client and the remote endpoint is on the server.
I used the dhcp-option DNS command because I wanted my client to use the DNS server on my VPN server. This DNS server tells my Vista client to use the private IP of the server instead of the public IP for certain Internet domains. This makes sure that this communication is encrypted, too. The redirect-gateway def1 command changes the routing table on the client to redirect all Internet traffic through the VPN server.
OpenVPN has no NATing capabilities, which means that you have to use the server OS for this. On my Linux box I used iptables:
iptables -A FORWARD -i tun0 -o eth0 -s 10.1.0.0/24 -m state —state NEW -j ACCEPT
iptables -A FORWARD -m state —state ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE
You can also easily configure Windows Server to act as a NAT router.
Once everything is configured you can start the OpenVPN gui and double click on its systray icon to establish the connection. I have been using OpenVPN 2.1 RC for several days and didn’t experience any problems.
My article is not a review of OpenVPN, which is a very complex VPN solution. I just wanted to give you a first idea about this great VPN solution. I have read before about OpenVPN, but I must admit that when I first tried it I was quite surprised at how powerful it is. You should have a look at its command documentation to get an idea about its capabilities. I also found the Howtos quite useful.