Step 2: Configuring the DSL router Now your home network can be found using the selected domain name (e.g. feilner.dyndns.org). The next step is to tell your router that it should forward any attempts to connect through to the Windows PC. This, too, is a standard function that is implemented in all currently available routers. Different router vendors call the function by different names, but typical names as "Port forwarding", "NAT" or "Masquerading". In the best case, it is simply a matter of specifying port 443 (TCP) and the Windows computer's IP address in the router's web-based management interface. All OpenVPN packets sent through the Internet will then be forwarded straight to the Windows PC, while undesired attempts to access other ports on the Microsoft system will remain blocked. Your Windows PC should have a fixed address on your home LAN, rather than obtaining an address via DHCP, otherwise you may experience problems. However, this setting too is generally very easy to configure, either on the router or in the properties of the network device on the computer. Figure 1 shows how you do this for Windows XP.
|
|
You can specify a fixed IP address for the Windows XP machine at home on the Properties sheet of the network connection that connects to the router. The router address and DNS server address must also be entered here.
|
Step 3: Install OpenVPN on the Windows server and generate the certificates Download the OpenVPN software from the project web site and install it on the Windows machine. Your firewall on Windows XP may display a dialog window asking permission for OpenVPN to access the Internet and allow connections from outside. In order for the encryption function to work correctly, you also need to run a couple of commands on the Windows command line. These commands are used to generate the certificates and keys that OpenVPN needs for its configuration. The developers of OpenVPN have simplified this quiet complex step by including some practical scripts in their software package, which can be found in the "easy-rsa" sub-directory of the installation directory. (Figure 2).
|
|
In Easy-rsa, OpenVPN provides a number of scripts that make complex topics such as encryption, keys, certificates and PKI accessible to everyday users. At the same time, administrators can use these scripts to manage complete encryption infrastructures.
|
You should make sure your current user has administrator rights, and create a new sub-directory called "keys". Copy the files index.txt.start and serial.start into this new sub-directory and change their names to index.txt and serial (without a file extension), respectively. Now you have to run the programs provided by OpenVPN. Open a Windows command prompt and switch to the easy-rsa directory. Now, enter the following commands: "vars", "init-config", "build-dh", "build-ca", "build-key-server server", "build-key client". Once you have answered a few questions about your computer name, organization and e-mail address, you will find the "keys" directory contains all the files you need for your OpenVPN tunnel. You now need to copy the files "ca.crt", "server.crt" and "server.key" and "dh1024.pem" to the OpenVPN "config" directory, while you should also copy "ca.crt", "client.crt" and "client.key" to a USB stick for use on your notebook. If you want, before running the "vars" script you can open up the "vars.bat" file in a text editor and set the desired key length in the "set KEY_SIZE" line. Anything over 1024 is secure, but the longer the key, the slower the connection. As an option, you can also enter your location, city and organizational unit here, instead of being prompted by the other scripts later.
|
Comments
Nice guide!
Marcus Feb 25, 2009 3:46pm GMT
Thanks for this wonderful guide! Works perfectly on Vista 64!winsows setup?
bartos Feb 20, 2009 11:03pm GMT
Pretty much boring article. To see all these corporate ugly windows windows. Unfortunately was looking for linux openvpn client config