Step 4: Configuration The fourth and final step is concerned with configuring the OpenVPN server and client software. You must modify the standard OpenVPN server configuration files, and connect the tunnel to your local Ethernet adapter. Since standard installations of Windows XP require a bit more work to set up simple masquerading functions, this step is a little more complex than on Linux, for example. A solution is available in the OpenVPN "bridging mode", however. This makes your notebook appear on your home network as though it was connected by a long, invisible cable, with automatic access to the Internet. In order for this to work, however, you must bridge the two network devices (local Ethernet and the tunnel device) using the context menu in Windows Control Panel. Figure 3 shows how you do this for Windows XP. It is often worthwhile verifying that the OpenVPN service is set to "Automatic" as well, since this is not always done by the installation process.
|
|
In Windows, you can bridge two network devices using the context menu in Control Panel. This bridge function ensures that a Wireless LAN, for example, and the OpenVPN tunnel on the notebook are connected, so that the notebook can obtain access to your home network and DSL connection.
|
On the server, the minimum configuration is all you need, saved in a file called "server.ovpn" for example. The "port" setting is already defined as using the HTTPS port, 443, which many other security-sensitive online services also use.
port 443
proto tcp-server
dev tap
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server-bridge local_address_of_the_Windows_PC 255.255.255.0 192.168.0.240 192.168.0.250
push "redirect-gateway"
push "route 0.0.0.0 0.0.0.0 IP_of_the DSL_router"
push "dhcp-option DNS IP_of_the_DSL_router"
keepalive 10 120
comp-lzo
persist-key
persist-tun
All you have to do is enter the local IP address of your Windows computer at home in the "server-bridge..." line, and enter the local IP address of your DSL router in the two lines that start with "push route..." and "dhcp-option..." - normally this address is 192.168.0.1. On the server, you should save the configuration to the "config" directory, in a file called "server.ovpn" for example. All tunnels that are described in files ending in ".ovpn" are started automatically by OpenVPN when the computer next reboots. Now you just have to install OpenVPN on the notebook and install the client key from your USB drive into the configuration directory. The configuration on the client can be saved to a file, such as "client.ovpn":
client
dev tap
proto tcp-client
remote feilner.dyndns.org 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
comp-lzo
route-up myroute.cmd
Only two modifications are required here. In the line starting "remote..." you need to enter the dyndns name that you selected earlier. In addition, you need to know and enter the IP address of the DSL router in your home network. OpenVPN uses the "myroute.cmd" script for this purpose, which you should also save to the configuration directory. In this file you must enter a Windows route command, with the IP address of your Windows computer (e.g. 192.168.0.71):
route delete 0.0.0.0 MASK 0.0.0.0 Local_IP_address_of_the_Windows_computer
Restart the machine and the tunnel should work without problems, with the notebook accessing the Internet solely via the VPN tunnel. There is an OpenVPN GUI available for Windows to make it easier for you to switch the VPN connection on and off. You can find it here. Limited bandwidth The obvious disadvantage of this solution is the bandwidth. Most domestic DSL connections have a limited upload, normally no more than 1 Mbit, which equates to just a little more than 128 Kilobytes per second (figure 4). If that is not sufficient, you need a faster connection to the Internet or a root server located at one of the large hosting companies. Whichever, both your DSL connection or the root server will represent a new point of attack for complete, undesired surveillance by eavesdroppers. If you want to avoid that, you should either install anonymizing services such as Tor, or rent a root server in a country that does not permit customer IP data to be monitored, as will be mandatory in Germany from next year.
|
|
A (virtual) Windows system can run as a VPN client, using an encrypted connection to a Windows VPN server behind a DSL connection. Downloading the latest Ubuntu CD image over this tunnel ran at a permanent speed of between 100 and 120 Kilobytes per second - in other words it used the full upload bandwidth of the test 16 Mbit connection. The overhead created by encryption is minimal for OpenVPN.
|
Users of Windows Vista will probably have a number of other hoops to jump through to get this to work. In our tests with Vista, the bridging setup described above was unsatisfactory and unstable. Only the latest version of OpenVPN (2.1. RC8) is updated to deal with the new mechanisms in Microsoft's latest product. Linux systems and Linux-based embedded systems such as OpenWRT or FreeWRT can be used for secure tunnels even without needing to configure a bridge. Users of Linux servers face even less work, since they need neither to create certificates nor configure the bridge with their own custom routes. All you need then is a simple key and password, and a command that activates the forwarding on the VPN server. And with a rented root server, your encrypted communications will find their destinations securely and quickly.
|
Comments
Nice guide!
Marcus Feb 25, 2009 3:46pm GMT
Thanks for this wonderful guide! Works perfectly on Vista 64!winsows setup?
bartos Feb 20, 2009 11:03pm GMT
Pretty much boring article. To see all these corporate ugly windows windows. Unfortunately was looking for linux openvpn client config