Guide to Setting up OpenVPN and Tunnelblick

Note by Brendan: The below post was written by my friend Rob McGuire. He put in much blood and tears to get his home VPN connection up and running, and decided to document the process to help out anyone else looking for guidance.

This guide is for documenting the process of setting up an OpenVPN server on a windows machine and having Mac OS X clients connect. This guide will walk through setting up the server in the bridged mode. The reasons for selecting bridged over routed are given below:

  • you are running applications over the VPN which rely on network broadcasts (such as LAN games), or
  • you would like to allow browsing of Windows file shares across the VPN without setting up a Samba or WINS server.

Section 1: Setting up the Windows Server

Note: More detailed information can be found here.

  1. Head over to OpenVPN’s Source Download Here
  2. Download the Windows Installer (Current Version 2.1.1 as of 05/22/10)
  3. Generate the Master Certificate Authority (CA) certificate & key using the steps below:
    • Open a Command Prompt and Change Directory (cd) to \Program Files\OpenVPN\easy-rsa
    • Run the command “init-config”
    • In the easy-rsa folder, there is a file vars.bat. Open this file in your favorite text editor and fill out the following parameters:
      • KEY_COUNTRY (e.g. US)
      • KEY_PROVINCE (e.g. VA)
      • KEY_CITY (e.g. Richmond)
      • KEY_ORG (e.g. Home)
      • KEY_EMAIL (e.g. VPNAdmin@gmail.com)
    • Once the given parameters are filled out, save the file.
    • Execute these next commands:
      • “vars”
      • “clean-all”
      • “build-ca”
    • The “build-ca” command will issue a series of on screen prompts which should pull values from the vars.bat file that was edited earlier. You will just have to confirm these defaults. The only parameter that must be entered this time is the Common Name (e.g. OpenVPN-CA).
  4. Generate Certificate and Key for the server:
    • “build-key-server server”
      • As before, most settings can be defaulted in this setup.
      • When the Common Name field is presented, enter “server”.
      • When asked to sign and commit the certificates, press “y”
  5. Generate Certificate and Key for Client(s):
    • “build-key client1″
      • Be sure to use the appropriate (and unique) Common Name for each of the clients. In this command, client1 would be the Common Name.
  6. Generate Diffie Hellman Parameters
    • “build-dh”

Here is a chart for what was just created and the machines that need that file:

Filename Needed By Purpose Secret
ca.crt server + all clients Root CA certificate NO
ca.key key signing machine only Root CA key YES
dh{n}.pem server only Diffie Hellman parameters NO
server.crt server only Server Certificate NO
server.key server only Server Key YES
client1.crt client1 only Client1 Certificate NO
client1.key client1 only Client1 Key YES

Section 2: Setting up the Server Configuration File

More detailed information can be found here.

  1. I recommend if your goal is to achieve ethernet bridging, to use my server configuration file as a starting point:
  • The key things to keep in mind when looking at this configuration file:
    • I use a DynDNS address to make the server name easier to remember.
    • My key files are stored in C:\keys\
    • I’ve changed the port to 1195 (instead of the 1194 default)
    • I’ve also used the duplicate-cn configuration (This allows for multiple clients per certificate key)

Section 3: Setting up the Client Configuration File

More detailed information can be found here.

  1. I also recommend using my client side configuration file, as it mirrors the configuration used in the server file.

Section 4: Server System Setup

  1. You will need to open up the TCP/UDP port you used in the configuration file (1195 for me) on your firewall (make sure to check the windows firewall settings)
  2. You will need to set up port forwarding from your router on port 1195 (or other configured port) to the machine running the server.
  3. In order to use the ethernet bridging, you will need to bridge the newly created tap adapter and your NIC card adapter. Select both of the adapters from the control panel, right click and select bridge connections.
  4. IP Address conflicts:
    • If you use a common IP address distribution on your network (e.g., 192.168.x.x), you will most likely have issues connecting to your VPN from external sources. The issue arises from these external sources also using the same IP scheme on their network. Having two IP address assigned to the client (one from your internet provider, and one through the VPN connection) that are in the same scheme significantly increases the chances of obtaining the same IP address which causes major routing issues. The best way to avoid this is to implement an uncommon IP distribution scheme (10.2.x.x – 10.254.x.x are usually good/uncommon choices).

Section 5: Starting the Server

  1. You can run OpenVPN as a service by putting one or more .ovpn configuration files in \Program Files\OpenVPN\config and starting the OpenVPN service. The service can be accessed by opening the Run Command Dialog and entering “services.msc”. Find the OpenVPN service and set the service to automatic.

Section 6: Starting the Client

  1. I used TunnelBlick, which can be found here, for the client side on my macbook. Install this client and follow the given directions. The configuration files for this client need to go in /Library/Application Support/Tunnelblick/Configurations/.
  2. The second part of making the client work correctly is the need to add a script call to the client configuration .ovpn file.
    • Download this script: tap-up-down.sh (Original Location)
    • Move the Script to the Configurations folder above.
    • Make the script executable by doing: chmod +x tap-up-down.sh
    • Add this to the end of the client.ovpn file: ‘up “./tap-up-down.sh”‘ and ‘down “./tap-up-down.sh”‘ (Include the quotations surrounding ./tap-up-down.sh)
    • Open the tunnleblick menu (click on the tunnel icon) and select details. Make sure to unselect “Set Nameserver”.

Section 7: Finishing Touches

  1. You should be able to connect to your server while on the network, but the real test will be to connect to an outside network (“borrow” a neighbors wifi for a test)

Website Updated!

After months of neglect and failed attempts at updates, I have finally revamped my site. Instead of having  static HTML pages alongside a WordPress-powered blog section, I decided to just move the entire site to the WordPress platform. I also updated the theme from the atrocious one I was using before. I will be adding content over the Thanksgiving break in an attempt to save the site from the depths of irrelevancy.

At the end of the day, the point of this site is to provide content that is relevant to what I am working on and learning at the time. By making this process more complicated than it needed to be, I just enabled my own procrastination.

WordPress has long been the go-to solution for blogging; even still, it has come leaps and bounds since I first tried my hand at it. The admin is powerful and easy to use. The themes and plugins take seconds to configure and start using. I no longer need to worry about editing HTML files or building some semblance of a Content Management System. I can spend that time working on a project that actually interests me (or, as I’m hoping, talking about those projects here).

So there you go – look forward to more posts and content shortly. I have at least 2 that are almost ready to go.

The UpTo method – Using C# Extension Methods to Create A Smarter Substring

A couple times in the past few months I have come across the need for a variant on the Substring method that most modern languages have in their String class.  Typically when you call the Substring method, you provide a starting index and the length of the substring you wish to return.  I needed to be able to take the first N characters from the string.

Unfortunately, the Substring method will throw an exception if the substring you try to create exceeds the bounds of the original string.  This is easy enough to fix by checking string lengths before the method is called.  It is very inconvenient, though, and can make code quite ugly and long when dealing with many fields.

This is when I learned about extension methods in C#.  These allow you to easily add methods to an existing class without having to deal with inheritance.  Below is the method that I created to achieve my desired functionality:

public static string UpTo(this string text, int length)
{
  if (text.Length <= length)
  {
    return text;
  }
  else
  {
    return text.Substring(0, length);
  }
}

The extension method is declared with the ‘this’ keyword on the first parameter.  I can now call the method using a method call like str.UpTo(45).

While this is a mind-numbingly simple example, it demonstrates how versatile extension methods can be.  This allowed me to clean up a significant portion of code where I was sending dozens of fields where the length could not exceed a given value.

For more on extension methods, check out the MSDN page.

ATI Driver Support In Ubuntu: The Most Annoying Thing Since Broadcom Wireless

With the recent release of Ubuntu 9.04 (Jaunty Jackalope), I decided to give another shot at making it my primary operating system.  I’ve always been a fan of open source for the principle of it, and it seems almost all the software I run is open source.  At the end of the day, though, I have never been able to break the chains of Windows for one reason or another.  Sometimes it has been a need for Visual Studio, others a desire to have a functioning TV tuner (my ATI TV Wonder Elite does not have any available Linux drivers).

With time, though, more and more of my computing needs moved online and away from other Windows-centric applications.  I decided to make the full move, and over the past few days have been tweaking everything to my heart’s desire.  The biggest surprise was out-of-the-box support for Broadcom wireless devices, something previous iterations have not included.  Everything was working perfectly – except for my graphics card.  My newest computer has a Radeon HD 4850, a relatively new model but definitely not cutting edge.  The open source drivers that were running on default seemed to work fine, but left alot to be desired.  They didn’t support any 3D acceleration and overall ran slowly.

The first attempt to remedy this involved activating the Ubuntu restricted ATI drivers.  With a quick reboot (trust me, Jaunty is fast!), the drivers were active.  As soon as I tried to change the resolution to something reasonable (1024×768), though, everything went haywire.  So onto the next alternative.

Next, I downloaded the ATI proprietary drivers from their website.  A first run through their automated installation, and I was already confused as to what had happened.  The reboot left my system completely dead.  A reset of xorg.conf did no good. Eventually I found out about a uninstall script which I mention below that was able to restore my system.

Third option – using the EnvyNG app to automatically install the correct drivers.  Once again leaves me with a broken system.  Uninstallation was easy enough from directions on the website.

For those who are wondering how to fix some of your graphical woes:

1)  Resetting xorg.conf in Ubuntu 9.04 is extremely easy – simply delete the file.  X.org will automatically create a new version using default settings, which you can reconfigure once back into the operating system.  Granted, I have only tested this under limited circumstances – do this at your own risk.

2)  Can’t figure out how to remove the ATI proprietary drivers which won’t allow you to boot into the OS?  There is an included uninstall shell script which took me a while to figure out about.  To use it, boot into recovery mode and use the following commands:

cd /usr/share/ati
sh ./fglrx-uninstall.sh

3)  If EnvyNG ends up breaking your system, just use the command ‘envyng –uninstall-all’ in the recovery mode shell.

So currently I am still left with the open source drivers.  I still have one last hope on installing the proprietary drivers in the form of a Ubuntu Forums post.  The headache this has caused me is comparable to the one I had when first setting up Broadcom wireless drivers for Breezy Badger.  Despite this, I am still dedicated to giving Linux a chance as my primary operating system.  Everything else has evolved in Ubuntu, why can’t the graphics drivers?