I have an existing network at home, but would like to be able to connect to it using a VPN every now and then. This enables me to access the fileserver, printer and so on.
A Soekris box I had lying around meets all requirements perfectly for a VPN-server. Here is how to set it up.
This one is easy enough, on Apple Mac OS X and a Time Capsule (or Airport Express) open AirPort Utility on your Mac, select the Time Capsule, click Manual Setup.
Go to Internet - NAT
Select the box "Enable NAT Port Mapping Protocol" and click on "Configure Port Mappings..."
Click on the "+" to add a portmapping. OpenVPN uses UDP port 1194, so map it from the "Public UDP Port(s)" to the "Private UDP Port(s)" on the "Private IP Address" of your soekris box. Fill in "OpenVPN" in the next "Description" field.
Finish your router configuration by pressing "Update". N.B. The network connection will be gone for a minute or two.
Create a directory /etc/openvpn/keys:
soekris # mkdir -p /etc/openvpn/keys
# This is the network that lives on the tun0 device.
# My regular network uses 10.0.1.0/24, so using
# 10.0.2.0/24 seems pretty logical.
server 10.0.2.0 255.255.255.0
# When clients connect, tell them that 10.0.1.0/24 can
# be reached through this tunnel. (You may also set this on the,
# client instead of "broadcasting" this...
push "route 10.0.1.0 255.255.255.0"
keepalive 10 120
This is quite an abstract step. It boils down to this: on the server you will create a certificate authority (ca) key and certificate, also you will create a key and certificate for each client connecting and sign them using your newly create certificate authority. The certificate from the certificate authority (ca.crt) and client (client1.crt) and the key for the client (client1.key) will be distributed to all clients. That's a mouth full, but here is how to do it in steps:
soekris # cp -Rip /usr/local/share/example/openvpn/easy-rsa /etc/openvpn
soekris # cd /etc/openvpn/easy-rsa/2.0
soekris # cat vars
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export KEY_ORG="Me in It Consultancy"
export KEY_EMAIL="[email protected]"
Now execute these steps, as stolen from The OpenVPN homepage.
soekris # . vars
soekris # ./clean-all
soekris # ./build-ca
soekris # ./build-key-server server
soekris # ./build-key client1
soekris # ./build-key client2
soekris # ./build-key client3
soekris # ./build-dh
Once again; send the newly created file /etc/openvpn/keys/ca.crt, /etc/openvpn/keys/client1.crt and /etc/openvpn/keys/client1.key to the machine using the vpn connection.
This step enables client to reach your local network using network address translation. At the bare minimum, add this rule to your pf configuration in /etc/pf.conf
nat pass on sis0 from !(sis0) to any -> (sis0)
Also, make sure the packet filter is enabled and is using your pf.cofn
soekris # pfctl -e
soekris # pfclt -f /etc/pf.conf
And finally make sure it works after a reboot:
soekris # echo "ps=yes" >> /etc/rc.conf.local
Wow, almost there, let's start the software:
soekris # /usr/local/sbin/openvpn --config /etc/openvpn/server.conf --key /etc/openvpn/keys/server.key
Some debugging information will scroll down your screen.
Add these lines to your /etc/rc.local.
# Add your local startup actions here.
echo " openvpn"
/usr/local/sbin/openvpn --config /etc/openvpn/server.conf --key /etc/openvpn/keys/server.key >> /var/log/openvpn.output &
For now I am using the trail version of Viscosity because it looks great. Check out the screenshots below.