Posted by rbTech Staff on 05 January 2012 12:14 PM
(Originally published on 10/30/2008, updates 2/5/2009)
This page is a documentation of how I set up OpenVPN on Linux servers with Windows (non-admin) road warriors. I've documented both the Server and Client side of the installation here because it took me a helluva lot of digging around to get it working right.
Some background: First, I usually put the VPN server on the default gateway for the LAN. This can be a box inside the firewall or the firewall itself (for security reasons, the many boxes approach is better, but for systems management, power consumption and fiscal reasons, the firewall is more common). This is because trying to designate routes to the VPN systems separately from therest of the network is a huge PIA, and will likely have you tearing your hair out as you try to diagnose routing loops and other unexpected behaviours in your network.
First, the server:
port 1194 proto udp dev tun ca keys/ca.crt cert keys/company.crt key keys/company.key # This file should be kept secret dh dh1024.pem server 10.8.254.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 cipher BF-CBC # Blowfish (default) comp-lzo max-clients 10 user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3 plugin /usr/lib/openvpn/openvpn-auth-pam.so login push "route 192.168.x.0 255.255.255.0" # Insert your WINS server IP here push "dhcp-option WINS 126.96.36.199" # Insert your DNS server IP here push "dhcp-option DNS 188.8.131.52" # Insert your second (if you have one) DNS server IP here push "dhcp-option DNS 184.108.40.206" # Replace with your search domain push "dhcp-option DOMAIN domain.tld"
Note: If you use the openvpn-auth-pam.so plugin, you will need to have the pam-devel package installed on your system as well (or OpenVPN will bail on startup).
The Certificate and Keyfiles are generated on the server, and copied to the client via a secure channel (i.e.: Over the LAN, via USB Thumbdrive, etc.. NOT VIA EMAIL!!!!).
To generate a keypair for a client system:
Edit the vars file and populate it with your information. Read the README in this directory for how to set up your server and Certificate Authority!
. vars # MUY IMPORTANTE!!! ./build-ca ./build-dh ./build-key-server servername ./build-key clientname
Next, the client PC:
client dev tun proto udp remote your.host.name 1194 nobind persist-tun ns-cert-type server ca "c:/program files/openvpn/keys/ca.crt" cert "c:/program files/openvpn/keys/system.crt" key "c:/program files/openvpn/keys/system.key" comp-lzo verb 3 auth-user-pass pull
On the PC:
Copy 4 files to the client PC: ca.crt, client.crt, client.key and client.ovpn.
Then download the current stable version of the OpenVPN gui from http://openvpn.se and install it. You'll need to make a couple post install modifications: During the install, check "Hide the TAP-Win32 Virtual Ethernet Adapter" box. Leave the rest as their defaults. Make a new directory: C:\Program Files\OpenVPN\keys Copy your config to c:\program files\OpenVPN\config Copy your key and crt files to C:\Program Files\OpenVPN\keys\
2009-02-05 Edit: OpenVPN GUI is now part of OpenVPN and should not be downloaded separately:http://openvpn.net/index.php/downloads.html
Running OpenVPN GUI as a non-admin user on the Windows PC...
You'll have to give the selected user access to start/stop the OpenVPN service:
cd c:\program files\Windows Resource kits\Tools\
You'll need to change the following registry keys on the client PC: HKLM\Software\OpenVPN-GUI\allow_edit=0
And that's it... at this point, you should be able to log out and log back in (you'll need to do that *EVERY TIME* you make a change to the OpenVPN-GUI registry keys!), right click the OpenVPN icon in the systray, enter your username and password, and get a connection.
Run OpenVPN-GUI as a NON-Admin user via the Windows XP RUNAS command:You can save the credentials for a runas shortcut thusly (and thanks to the OpenVPN site administrator for clueing me in on this...):
This method is also ONLY AVAILABLE on Windows XP PRO... the /savecred option is silently ignored when using XP Home or any variant of it (i.e. Media Center etc.).
Notes... If your firewall has more than one IP address assigned to the interface you're connecting to OpenVPN on, you may need the float option in your Client config file.