Tag Archives: OS X

DD-WRT + Tunnelblick = OpenVPN

Debating about VPNs on the Sauna Sprint, sprinters convinced me that we should use VPN for remote access to our internal services in our office. And for an extra layer of security when using public networks. So here it goes.

Certificates

I didn’t want to install openssl and openvpn on my Macbook just so I could generate access certificates. Luckily, Rackspace Cloud instance with Ubuntu was only 2 minutes away. From there on I just followed the tutorial on creating certificates.

OpenVPN server

Since we already have a Linksys WRT54G router running DD-WRT firmware it was an obvious decision to just use this piece of hardware to act as an OpenVPN server. Off to the DD-WRT download page and grab the package that also has OpenVPN support (dd-wrt.v24_vpn_generic.bin). Quick flash of the router’s firmware and we are set.

  1. Enable OpenVPN server in Services and set it’s Start type to WAN Up.
  2. Paste in certificates created in advance on a Ubuntu cloud instance.
  3. Paste in OpenVPN server config (find it below).
  4. Configure iptables by going to Administration -> Commands, pasting in iptables config (find it below) and clicking save firewall.
  5. Reboot router.

Tunnelblick OpenVPN client

For OS X users the recommended application for using OpenVPN is Tunnelblick.

1. Go to Tunnelblick’s website, download Tunnelblick 3.0 application and install it.

2. Run Tunnelblick. Click install and edit sample configuration file and paste into it client configuration (find it below).

3. In this configuration, find SSL/TLS parms. and replace text bob with a name you used in the first step when creating certificates (same as filename of certificates).

4. Use Terminal to add certificate keys to your Tunnelblick configuration (keys created on Ubuntu cloud instance), again replacing bob in filename.

  • nano ~/Library/Application\ Support/Tunnelblick/Configurations/ca.crt
  • nano ~/Library/Application\ Support/Tunnelblick/Configurations/bob.crt
  • nano ~/Library/Application\ Support/Tunnelblick/Configurations/bob.key

Now you are ready to use your VPN. Click on Tunnelblick icon next to current time in the top-right corner of your screen and select connect ‘openvpn’. All your traffic should now be routed through a secure tunnel to your office.

Confirm this by visiting http://whatismyip.com. The IP displayed should be your office’s IP, meaning you are accessing internet through a tunnel from your office. Hooray!

Config files

OpenVpn server config

push "route 192.168.1.0 255.255.255.0"
server 192.168.2.0 255.255.255.0

dev tun0
proto udp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

# management parameter allows DD-WRT's OpenVPN Status web page to access the server's management port
# port must be 5001 for scripts embedded in firmware to work
management localhost 5001

iptables config

# enable tunnel
iptables -I INPUT 1 -p udp –dport 1194 -j ACCEPT
iptables -I FORWARD 1 –source 192.168.2.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
# NAT the VPN client traffic to the internet
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE

Tunnelblick config

# Specify that we are a client and that we will be pulling certain config file directives from the server.
client

# Use the same setting as you are using on the server.
# On most systems, the VPN will not function unless you partially or fully disable the firewall for the TUN/TAP interface.
dev tun0

# Are we connecting to a TCP or # UDP server?  Use the same setting as on the server.
proto udp

# The hostname/IP and port of the server.
remote <your office IP> 1194

# Keep trying indefinitely to resolve the host name of the OpenVPN server.  
# Very useful on machines which are not permanently connected to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
# NOTE: this cause problems with reverting to default route once VPN is disconnected
# user nobody
# group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# Wireless networks often produce a lot of duplicate packets.  Set this flag to silence duplicate packet warnings.
mute-replay-warnings

# SSL/TLS parms.
ca ca.crt
cert bob.crt
key bob.key

# Enable compression on the VPN link. Don't enable this unless it is also enabled in the server config file.
;comp-lzo

# Set log file verbosity.
verb 3

# from wiki
remote-cert-tls server
float

# route all traffic through VPN
redirect-gateway def1
dhcp-option DNS <your ISP's primary DNS IP>
dhcp-option DNS <your ISP's secondary DNS IP>

OS X specific .cfg for collective.xdv

The collective.xdv manual on plone.org tells you how to customize your buildout.cfg in order to be able to run collective.xdv on OS X. However if you are working in a team of developers where not everyone is using OS X, it’s nice to have your specific buildout hacks in a separate osx.cfg file.

Below is an OS X specific osx.cfg file that extends the original buildout.cfg with OS X specific hacks for collective.xdv.

[buildout]
extends = buildout.cfg
parts +=
    lxml

versions = versions

[versions]
lxml = 2.2.2

[lxml]
recipe = z3c.recipe.staticlxml
egg = lxml
force = false

Now all you need to do is run buildout with config file set as osx.cfg.

$ bin/buildout -c osx.cfg