Volume Number: 23 (2007)
Issue Number: 12
Column Tag: Networking

DIY: OpenVPN Server

How to turn OS X client into an OpenVPN server

by Ben Greisler

To paraphrase Steve Ballmer, "Security! Security! Security!"

In this episode of DIY Computing we will be putting together an OpenVPN server running on OS X (client). To quote openvpn.net: "OpenVPN is a full-featured SSL VPN which implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or username/password credentials, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface."

Like most other projects similar to this, there are many, many configuration options. In this article we will do enough to get a functional VPN running and use it as the basis for additional exploration.

This OpenVPN server was set up on a fully patched 10.4.10 install running on a G4 AGP (PPC) that I had hanging around. This is a perfect machine to put back to work. I wanted to test on an Intel machine, but I didn't have one available to play with. The process for installation on an Intel machine should be identical to the PPC with any exceptions noted.

Before installing the OpenVPN software, I downloaded the latest Macports (1.5.0, macports.org) and Apple Developer tools (Xcode 2.5 Developer Preview). I ended up using the preview version of Xcode simply because I already had it downloaded, but the 2.4.1 version should work as well. I also downloaded the nice tun/tap package from: http://www-user.rhrk.uni-kl.de/~nissler/tuntap/. I used the stable Tiger version for PPC, but if you are on Intel there is a Universal version available too. The developers of the package do note that they have had some crashing issues, so tread carefully if you are in a production environment. Test, test, test!

We could have installed OpenVPN without using Macports, but using it makes life a little easier as Macports takes care of any dependencies that also may need to be installed, such as lzo2, openssl and zlib.

For the client machine, we are going to use Tunnelblick, a gui for OpenVPN. It can be downloaded from tunnelblick.net. Tunnelblick is pretty much self-contained. It has OpenVPN, the tun/tap drivers from Nissler and the appropriate scripts to make everything work.

We start with a fully patched install of 10.4.10 and then install the Xcode Tools (developer.apple.com).

At this point adjust the Energy Saver preferences to not allow the computer to go to sleep.

With the Developer Tools in place, we can install Macports. If you are not familiar with Macports, refer to the website (www.macports.org) for installation instructions, requirements and usage information. Check for updates:

sudo port update

With Macports in place, I checked for the availability of openvpn:

testbeds-G4:~ testbed$ sudo port search openvpn
openvpn  net/openvpn 1.6.0 easy-to-use, robust, and highly configurable VPN
openvpn2  net/openvpn2   2.0.9 easy-to-use, robust, and highly configurable VPN

As we can see, we are given our choice of two versions of openvpn. The one we want is openvpn2:

testbeds-G4:~ testbed$ sudo port install openvpn2
--->  Fetching lzo2
--->  Attempting to fetch lzo-2.02.tar.gz from http://www.oberhumer.com/opensource/lzo/download/
--->  Verifying checksum(s) for lzo2
--->  Extracting lzo2
--->  Configuring lzo2
--->  Building lzo2 with target all
--->  Staging lzo2 into destroot
--->  Installing lzo2 2.02_1+darwin_8
--->  Activating lzo2 2.02_1+darwin_8
--->  Cleaning lzo2
--->  Fetching zlib
--->  Attempting to fetch zlib-1.2.3.tar.bz2 from http://www.zlib.net/
--->  Verifying checksum(s) for zlib
--->  Extracting zlib
--->  Applying patches to zlib
--->  Configuring zlib
--->  Building zlib with target all
--->  Staging zlib into destroot
--->  Installing zlib 1.2.3_1
--->  Activating zlib 1.2.3_1
--->  Cleaning zlib
--->  Fetching openssl
--->  Attempting to fetch openssl-0.9.8e.tar.gz from http://www.openssl.org/source/
--->  Verifying checksum(s) for openssl
--->  Extracting openssl
--->  Applying patches to openssl
--->  Configuring openssl
--->  Building openssl with target all
--->  Staging openssl into destroot
--->  Installing openssl 0.9.8e_0+darwin_8
--->  Activating openssl 0.9.8e_0+darwin_8
--->  Cleaning openssl
--->  Fetching openvpn2
--->  Attempting to fetch openvpn-2.0.9.tar.gz from http://www.openvpn.net/release/
--->  Verifying checksum(s) for openvpn2
--->  Extracting openvpn2
--->  Configuring openvpn2
--->  Building openvpn2 with target all
--->  Staging openvpn2 into destroot
--->  Installing openvpn2 2.0.9_1+darwin_8
--->  Activating openvpn2 2.0.9_1+darwin_8
--->  Cleaning openvpn2

You don't have to do the next step, but I like moving the files to a more convenient location:

testbeds-G4:/etc testbed$ sudo cp -r  /opt/local/share/doc/openvpn2/ /etc/openvpn/

Now we can install the tun/tap drivers from the package downloaded. You can choose to install the tun or tap kexts individually along with the startup items, or do what I did and use the .mpkg to install all of them. That will give more flexibility in future configurations. The tun and tap kexts will be installed in /Library/Extension and the startup items will be installed in /System/Library/StartupItems.

Figure 1: Tun and tap installer packages

We need to generate the keys and certificates for the server and clients. To make things a little easier, I edited the vars file in /etc/openvpn/easy-rsa to reflect my location and email address. This will give us the defaults when we set up the security items. We now get to work on the PKI (public key infrastructure) and build the certificate authority (CA). Note that I used "OpenVPN-CA" for the Common Name:

testbeds-G4:/etc/openvpn/easy-rsa testbed$ . ./vars

NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys

testbeds-G4:/etc/openvpn/easy-rsa testbed$ sudo ./clean-all
testbeds-G4:/etc/openvpn/easy-rsa testbed$ sudo ./build-ca
Generating a 1024 bit RSA private key
.....++++++
.......++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [NA]:PA  
Locality Name (eg, city) [ANYTOWN]:
Organization Name (eg, company) [OpenVPN-TEST]:
Organizational Unit Name (eg, section) []:.
Common Name (eg, your name or your server's hostname) []:OpenVPN-CA
Email Address [vpnadmin@greisler.org]:
testbeds-G4:/etc/openvpn/easy-rsa testbed$ ls -l
total 160
drwxr-xr-x   23 root  wheel   782 Aug 12 13:53 2.0
-rw-r--r--    1 root  wheel  6075 Aug 12 13:53 README
drwxr-xr-x   14 root  wheel   476 Aug 12 13:53 Windows
-rwxr-xr-x    1 root  wheel   242 Aug 12 13:53 build-ca
-rwxr-xr-x    1 root  wheel   228 Aug 12 13:53 build-dh
-rwxr-xr-x    1 root  wheel   529 Aug 12 13:53 build-inter
-rwxr-xr-x    1 root  wheel   516 Aug 12 13:53 build-key
-rwxr-xr-x    1 root  wheel   424 Aug 12 13:53 build-key-pass
-rwxr-xr-x    1 root  wheel   695 Aug 12 13:53 build-key-pkcs12
-rwxr-xr-x    1 root  wheel   662 Aug 12 13:53 build-key-server
-rwxr-xr-x    1 root  wheel   466 Aug 12 13:53 build-req
-rwxr-xr-x    1 root  wheel   402 Aug 12 13:53 build-req-pass
-rwxr-xr-x    1 root  wheel   280 Aug 12 13:53 clean-all
drwx------    6 root  wheel   204 Aug 12 14:40 keys
-rw-r--r--    1 root  wheel   264 Aug 12 13:53 list-crl
-rw-r--r--    1 root  wheel   268 Aug 12 13:53 make-crl
-rw-r--r--    1 root  wheel  7487 Aug 12 13:53 openssl.cnf
-rw-r--r--    1 root  wheel   268 Aug 12 13:53 revoke-crt
-rwxr-xr-x    1 root  wheel   593 Aug 12 13:53 revoke-full
-rwxr-xr-x    1 root  wheel   411 Aug 12 13:53 sign-req
-rw-r--r--    1 root  wheel  1269 Aug 12 14:22 vars
testbeds-G4:/etc/openvpn/easy-rsa/keys root# ls -l
total 24
-rw-r--r--   1 root  wheel  1233 Aug 12 14:40 ca.crt
-rw-------   1 root  wheel   887 Aug 12 14:40 ca.key
-rw-r--r--   1 root  wheel     0 Aug 12 14:39 index.txt
-rw-r--r--   1 root  wheel     3 Aug 12 14:39 serial

Now let's build the server certificate and key. Note that I used "server" as the Common Name:

testbeds-G4:/etc/openvpn/easy-rsa testbed$ sudo ./build-key-server server Password: Generating a 1024 bit RSA private key ..................++++++ ....................++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [NA]:PA Locality Name (eg, city) [ANYTOWN]: Organization Name (eg, company) [OpenVPN-TEST]: Organizational Unit Name (eg, section) []:. Common Name (eg, your name or your server's hostname) []:server Email Address [vpnadmin@greisler.org]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'PA' localityName :PRINTABLE:'ANYTOWN' organizationName :PRINTABLE:'OpenVPN-TEST' commonName :PRINTABLE:'server' emailAddress :IA5STRING:'vpnadmin@greisler.org' Certificate is to be certified until Aug 9 18:55:31 2017 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated testbeds-G4:/etc/openvpn/easy-rsa/keys root# ls -l total 80 -rw-r--r-- 1 root wheel 3640 Aug 12 14:55 01.pem -rw-r--r-- 1 root wheel 1233 Aug 12 14:40 ca.crt -rw------- 1 root wheel 887 Aug 12 14:40 ca.key -rw-r--r-- 1 root wheel 100 Aug 12 14:55 index.txt -rw-r--r-- 1 root wheel 21 Aug 12 14:55 index.txt.attr -rw-r--r-- 1 root wheel 0 Aug 12 14:39 index.txt.old -rw-r--r-- 1 root wheel 3 Aug 12 14:55 serial -rw-r--r-- 1 root wheel 3 Aug 12 14:39 serial.old -rw-r--r-- 1 root wheel 3640 Aug 12 14:55 server.crt -rw-r--r-- 1 root wheel 676 Aug 12 14:55 server.csr -rw------- 1 root wheel 887 Aug 12 14:55 server.key

Now let's build the server certificate and key. Note that I used "client" as the Common Name. For each client certificate and key, use a different Common Name (ie: client1, client2, bob, fred, etc):

testbeds-G4:/etc/openvpn/easy-rsa testbed$ sudo ./build-key client
Generating a 1024 bit RSA private key
................................................++++++
.......++++++
writing new private key to 'client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [NA]:PA
Locality Name (eg, city) [ANYTOWN]:
Organization Name (eg, company) [OpenVPN-TEST]:
Organizational Unit Name (eg, section) []:.
Common Name (eg, your name or your server's hostname) []:client
Email Address [vpnadmin@greisler.org]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'PA'
localityName          :PRINTABLE:'ANYTOWN'
organizationName      :PRINTABLE:'OpenVPN-TEST'
commonName            :PRINTABLE:'client'
emailAddress          :IA5STRING:'vpnadmin@greisler.org'
Certificate is to be certified until Aug  9 18:59:59 2017 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
testbeds-G4:/etc/openvpn/easy-rsa/keys root# ls -l
total 128
-rw-r--r--   1 root  wheel  3640 Aug 12 14:55 01.pem
-rw-r--r--   1 root  wheel  3541 Aug 12 15:00 02.pem
-rw-r--r--   1 root  wheel  1233 Aug 12 14:40 ca.crt
-rw-------   1 root  wheel   887 Aug 12 14:40 ca.key
-rw-r--r--   1 root  wheel  3541 Aug 12 15:00 client.crt
-rw-r--r--   1 root  wheel   676 Aug 12 14:59 client.csr
-rw-------   1 root  wheel   891 Aug 12 14:59 client.key
-rw-r--r--   1 root  wheel   200 Aug 12 15:00 index.txt
-rw-r--r--   1 root  wheel    20 Aug 12 15:00 index.txt.attr
-rw-r--r--   1 root  wheel    21 Aug 12 14:55 index.txt.attr.old
-rw-r--r--   1 root  wheel   100 Aug 12 14:55 index.txt.old
-rw-r--r--   1 root  wheel     3 Aug 12 15:00 serial
-rw-r--r--   1 root  wheel     3 Aug 12 14:55 serial.old
-rw-r--r--   1 root  wheel  3640 Aug 12 14:55 server.crt
-rw-r--r--   1 root  wheel   676 Aug 12 14:55 server.csr
-rw-------   1 root  wheel   887 Aug 12 14:55 server.key

Now build the Diffie Hellman parameters:

testbeds-G4:/etc/openvpn/easy-rsa testbed$ sudo ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
................+...........................+............................
<lots of dots removed to prevent boredom>
.......................................................+...+..++*++*++*
testbeds-G4:/etc/openvpn/easy-rsa/keys root# ls -l
total 136
-rw-r--r--   1 root  wheel  3640 Aug 12 14:55 01.pem
-rw-r--r--   1 root  wheel  3541 Aug 12 15:00 02.pem
-rw-r--r--   1 root  wheel  1233 Aug 12 14:40 ca.crt
-rw-------   1 root  wheel   887 Aug 12 14:40 ca.key
-rw-r--r--   1 root  wheel  3541 Aug 12 15:00 client.crt
-rw-r--r--   1 root  wheel   676 Aug 12 14:59 client.csr
-rw-------   1 root  wheel   891 Aug 12 14:59 client.key
-rw-r--r--   1 root  wheel   245 Aug 12 15:06 dh1024.pem
-rw-r--r--   1 root  wheel   200 Aug 12 15:00 index.txt
-rw-r--r--   1 root  wheel    20 Aug 12 15:00 index.txt.attr
-rw-r--r--   1 root  wheel    21 Aug 12 14:55 index.txt.attr.old
-rw-r--r--   1 root  wheel   100 Aug 12 14:55 index.txt.old
-rw-r--r--   1 root  wheel     3 Aug 12 15:00 serial
-rw-r--r--   1 root  wheel     3 Aug 12 14:55 serial.old
-rw-r--r--   1 root  wheel  3640 Aug 12 14:55 server.crt
-rw-r--r--   1 root  wheel   676 Aug 12 14:55 server.csr
-rw-------   1 root  wheel   887 Aug 12 14:55 server.key

The files in the "keys/" folder are distributed as such:

Server: ca.crt, ca.key (secret), dh1024.pem server.key (secret) and server.crt (these files can stay in the /keys folder)

Client: ca.crt, client.key (secret) and client.crt (these will be moved in a secure manner to the client machine)

We now get to work on the configuration files for the server and client. I suggest starting with the sample config files contained in the /openvpn/sample-config-files folder. The sample server config is called server.conf. Make a copy of the server.conf file and place it in /etc/openvpn then edit the file to reflect the location of the server certificates, key and DH parameters:

<clip>
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key).  Each client
# and the server must have their own cert and
# key file.  The server and all clients will
# use the same ca file.
# 
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys.  Remember to use
# a unique Common Name for the server
# and each of the client certificates.
# 
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key  # This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
</clip>

In this article we are keeping to the basics, but you should review the server.conf file and look at the choices. The sample file on which we are basing our server.conf file on states that the VPN virtual IP range will be in the 10.8.0.0/24 subnet. The VPN will be listening on port 1194 UPD. All this can be changed as long as the changes are reflected in the client config file and the network can support it. OpenVPN will default to Blowfish encryption unless changed. Also, the file says that we are building a tunnel (tun) rather than bridging (tap).

With the server.conf file set, we can start the vpn server. For production use you will want to make a StarupItem to start it on boot:

testbeds-G4:/etc/openvpn/ testbed$ sudo openvpn2 /etc/openvpn/server.conf
Password:
Sun Aug 12 15:59:13 2007 OpenVPN 2.0.9 powerpc-apple-darwin8.10.0 [SSL] [LZO] built on Aug 12 2007
Sun Aug 12 15:59:14 2007 Diffie-Hellman initialized with 1024 bit key
Sun Aug 12 15:59:14 2007 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Aug 12 15:59:14 2007 gw 192.168.254.1
Sun Aug 12 15:59:14 2007 TUN/TAP device /dev/tun0 opened
Sun Aug 12 15:59:14 2007 /sbin/ifconfig tun0 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
Sun Aug 12 15:59:14 2007 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
Sun Aug 12 15:59:14 2007 /sbin/ifconfig tun0 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up
Sun Aug 12 15:59:14 2007 /sbin/route add -net 10.8.0.0 10.8.0.2 255.255.255.0
add net 10.8.0.0: gateway 10.8.0.2
Sun Aug 12 15:59:14 2007 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Aug 12 15:59:14 2007 UDPv4 link local (bound): [undef]:1194
Sun Aug 12 15:59:14 2007 UDPv4 link remote: [undef]
Sun Aug 12 15:59:14 2007 MULTI: multi_init called, r=256 v=256
Sun Aug 12 15:59:14 2007 IFCONFIG POOL: base=10.8.0.4 size=62
Sun Aug 12 15:59:14 2007 IFCONFIG POOL LIST
Sun Aug 12 15:59:14 2007 Initialization Sequence Completed

We need to modify the client config file with the location of the vpn server and the keys and certificates:

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote greisler.org 1194
;remote my-server-2 1194

Copy the client.conf file along with ca.crt, client.crt and client.key files to ~/Library/openvpn on the client machine. Then install Tunnelblick. When you start Tunnelblick for the first time and you don't have the client.conf file in place, it was ask you to do it or it will install a sample file for you. Once Tunnelblick is started, you will have a small tunnel icon in the upper right side menu bar. Click on it and it will allow you to start the tunnel. If the tunnel connects correctly, the center of the tunnel icon goes clear as in a "light at the end of the tunnel." You can click on Details to see log info and modify the config file.

Figure 2: Location and structure of the client.conf and pki files for Tunnelblick

Figure 3: A successful OpenVPN tunnel connection

To test the connection you can ping the client machine from the server and vice-versa keeping in mind that the server is now 10.8.0.1 and the clients ip can be checked by checking the tun0 interface:

computator1:~ magikben$ ifconfig tun0
tun0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 10.8.0.6 --> 10.8.0.5 netmask 0xffffffff 
        open (pid 4801)
computator1:~ magikben$ ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1): 56 data bytes
64 bytes from 10.8.0.1: icmp_seq=0 ttl=64 time=98.426 ms
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=42.783 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=5.103 ms
^C
--- 10.8.0.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 5.103/48.771/98.426/38.333 ms
testbeds-G4:~ testbed$ ping 10.8.0.6
PING 10.8.0.6 (10.8.0.6): 56 data bytes
64 bytes from 10.8.0.6: icmp_seq=0 ttl=64 time=71.537 ms
64 bytes from 10.8.0.6: icmp_seq=1 ttl=64 time=197.671 ms
64 bytes from 10.8.0.6: icmp_seq=2 ttl=64 time=40.110 ms
64 bytes from 10.8.0.6: icmp_seq=3 ttl=64 time=45.709 ms
64 bytes from 10.8.0.6: icmp_seq=4 ttl=64 time=64.629 ms
^C
--- 10.8.0.6 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 40.110/83.931/197.671/58.042 ms

This configuration will work but you might need to look at a few other issues that will impact actual usage. You may need to add routing statements so VPN clients can get to resources beyond the actual VPN server. You may need to adjust the PKI to better meet your needs. As it is the setup we just did can possibly be a target for man-in-the-middle attacks since there is nothing that verifies the server certificate; this was even pointed out in the logs along with where to look to solve this (http://openvpn.net/howto.html#mitm). The test environment had a single interface G4 as the VPN server and thus I had to port forward UDP 1194 to server for outside access.

Go ahead and try it out. There are many good sources on the net to find out additional information, the OpenVPN.net site being one of the best. One of the few downsides to OpenVPN is that it is fairly hands-on and it doesn't lend itself to easy administration of users with all configurations occurring via command line. There are a few GUI's available, but I didn't have a chance to get them running in time for this article, plus a number of them are Windows only.

Ben has been everything from a Mac user to CTO of one of the leading Macintosh professional services firms. Besides writing an occasional article for MacTech, you can find him presenting at Macworld or consulting with clients around the world. You can reach him at ben@greisler.org.