OpenVPN Client and Mac OS X 10.3
I have an OpenVPN server running and I’ve been meaning to get my Powerbook (running OS X 10.3.7) to connect as a client. I haven’t been able to find anything comprehensive on getting OpenVPN running under Mac OS X…. so, I decided to pool my notes together and write something. These instructions are my rough notes for getting OpenVPN running as a TAP client on Mac OS X 10.3. I’m only concerned with TAP devices, as my OpenVPN server functions as a way to place all remote clients on the same virtual segment. This document also assumes you already have an OpenVPN server running and configured for your client, with a shared SSL key.
Install the TUN/TAP Driver for Mac OS X
Mattias Nissler has created an excellent TUN/TAP driver that works under Mac OS X 10.3. Go to his web site for the driver, and download the precompiled driver: tuntap.tar.gz. After downloading, save the .tar.gz file to a temporary place and unstuff it. In the expanded folder, double-click on the tuntap_installer.mpkg file. This will install the TUN and TAP devices, as well as the start up script so one TUN and one TAP device will come up at boot. After installing, reboot your computer.
Install GCC Compiler
First, you’ll have to install the XCode Tools from Apple. This contains the GCC compiler, which is needed to compile OpenVPN on Mac OS X. At the time of this writing, XCode Tools 1.5 is currently available for OS X 10.3. To get XCode Tools, you will have to go to the Apple Developer Connection and register (free). Then, go to the downloads section, and download the XCode Tools 1.5 CD. After double clicking on the file you’ve downloaded, and mounting the XCode Tools disk image, double click on the XcodeTools.mpkg file. When you get to the Installation Type part of the install, click the Customize button. Then, select only gcc 3.3 and Developers Tools Software, Mac OS X SDK, and April 2004 Xcode Tools Extras (or whichever date that refers to your version of XCode Tools.) Installing these other options (besides GCC) will create the proper links for GCC, so that GCC can be found when compiling a program.
After installing XCode Tools 1.5, you will then have to download and install the November 2004 gcc 3.3 Updater from the Apple Developer Connection. This will fix some bugs in the GCC that is in XCode Tools 1.5.
Install OpenSSL Libraries
In order to use encryption with OpenVPN, OpenSSL needs to be installed. The easiest way to do this is to install Fink. After downloading and installing Fink, open a new Terminal window. Then, enter the command:
fink install openssl097 openssl097-dev openssl097-shlibs
This command will instruct Fink to download and install the OpenSSL libraries onto your Mac.
Install LZO Compression Libraries (Optional but Recommended)
In order to use compression with OpenVPN, the LZO libraries need to be installed. Download lzo-1.08.tar.gz from oberhumer.com. (Note: OpenVPN 2.0 only works with LZO version 1.08, and not LZO 2.x at the time of this writing.) Uncompress this file to a temporary location, then open a Terminal window and change to the directory of the uncompressed lzo files. Then, type the following commands:
./configure --enable-shared
make
make test
sudo make install
The headers will be installed in /usr/local/include/lzo/ and the libraries will be installed in /usr/local/lib/
Installing OpenVPN 2.0
Download the OpenVPN 2.0 source tarball, openvpn-2.0.tar.gz, from the OpenVPN web site to a temporary location on your hard drive. Then, unstuff the compressed file. Open a Terminal window and change to the directory of the uncompressed OpenVPN folder. Then, type the following command (we have to specify the location of the SSL and LZO headers and libraries):
./configure --with-ssl-lib=/sw/include/ --with-ssl-headers=/sw/include/ --with-lzo-lib=/usr/local/lib/ --with-lzo-headers=/usr/local/include/lzo/
Note: If you did not compile the LZO libraries, omit
--with-lzo-lib=/usr/local/lib/ --with-lzo-headers=/usr/local/include/lzo/
and replace with
--disable-lzo
Then, make and install OpenVPN:
make
sudo make install
Configuring OpenVPN
The OpenVPN binary, openvpn, will be installed in /usr/local/sbin, which is not in the path. You will have to specify the location of the binary when executing it (/usr/local/sbin/openvpn).
Create an /etc directory for OpenVPN:
sudo mkdir /etc/openvpn
Copy your OpenVPN certs or static key into this directory using sudo, as this directory will only be readable by everyone, but writable only by root. (In my case, the name of the SSL key file is vpn.key.) Then, create your OpenVPN config file. Below are examples of my /etc/openvpn/vpn.conf :
For an OpenVPN 2.0 server:
client
dev tap0
# In the next line, specify the IP address and subnet mask of the tap0 device
ifconfig [IP Address] [Subnet Mask]
proto udp
remote [OpenVPN Server DNS Address] [port]
resolv-retry infinite
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nobody
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
mute-replay-warnings
# If using SSL Certificates, use the following 3 lines:
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
# If using a SSL static key, use the following line:
secret "/etc/openvpn/vpn.key"
# Use the next line if utilizing LZO compression:
comp-lzo
verb 3
mute 20
If connecting to an OpenVPN 1.x server:
verb 5
dev tap0
# Specify the OpenVPN server's port number below
port port_number
tun-mtu 500 # use a MTU of 576 for dial-up clients
tun-mtu-extra 64
# I had to add the following line because I was having problems with opening ssh and H.323 sessions, even though I could ping the remote side ok.
mssfix 1450
# In the next line, specify the IP address and subnet mask of the tap0 device
ifconfig ip_address subnet_mask
# Uncomment the following if the client will be using a DHCP address. The following commands tell the client to ping the server every 10 seconds, and if there's no response for 300 seconds, restart OpenVPN.
# ping 10
# ping-restart 300
# ping-timer-rem
# The two lines below are needed for backwards compatibility to a 1.x server if using the 2.x client
key-method 2
disable-occ
# Insert the OpenVPN server's DNS adddress below
remote openvpn_dns_address
# Specify the shared SSL secret key below
secret "/etc/openvpn/vpn.key"
Starting the OpenVPN Client
After your vpn.conf and vpn.key files are in place, open a Terminal window. Then, start the OpenVPN client:
sudo /usr/local/sbin/openvpn --config /etc/openvpn/vpn.conf
To start the client a bit more easily, I placed the above command into a script residing in /usr/local/bin named start-vpn:
#!/bin/sh
/usr/local/sbin/openvpn --config /etc/openvpn/vpn.conf
Then, make it executable:
sudo chmod 755 /usr/local/bin/start-vpn
Now, I just invoke the script from a Terminal window with sudo start-vpn and OpenVPN sets up the link between my Powerbook and the OpenVPN server.