SackVPN2

I have set up openvpn on baconhouse which uses tun/tap to tunnel traffic over a single ssl connection. This lets you, for instance, do whatever you like on the internets while at work without having anything but a single ssl connection pop up on big brother's flashing alarm panel. Or, it would permit you to access the wide range of internets "securely" while trapped inside of a restrictive internet at a conference or a hotel. It does not preclude local network access.

To get started, go to openvpn and download the appropriate 2.x client for your OS. It is very easy to compile on unix-based hosts. You can simply untar it and go:

./configure --disable-lzo && make && make install

Then, if you are using Mac OS X, download and install the tun/tap driver and reboot. FreeBSD and Linux support this out of the box. For Windows, please consult the OpenVPN HOWTO's Quickstart section.

You will then need an ssl certificate. You can go whole hog and mail me a cert request, or if you don't actually care so much about the integrity of the PKI chain, you can just ask me to send you a key. That's rather easier, but whatever's fine with me.

Then, download this config file. If you're a Mac OS X user, you should just be able to plop that in /etc/openvpn along with the key files I send you. Edit it to make the name of the certificate file match the one I send you (change 'client1' to 'clientX'), then you can just run:

/usr/local/sbin/openvpn --config /etc/openvpn/sackvpn.conf

..and you should be good to go. I like to slap that into a shell script called ~/bin/vpn along with a few other commands, which we will get to shortly, since: There are some current caveats:

• If you want complete local network access, you'll need to add a more specific route after you bring up the vpn. If your internal network is on, say, 9.0.0.0/8, then you can do: route add 9.0.0.0/8 <your_router's_ip> It depends on your network. SackVPN2 is currently using 172.31.254.0/24 which should not cause conflicts with anyone sane. I like to add this command to my vpn shell script.


• You have to have a default route for openvpn to be happy on startup. This is not something that is usually a problem, but if you are using the nobody/nobody privilege deescalation options, openvpn cannot reset the default route when it exits. Not only will this break your non-vpn'd networking, but it will break openvpn on restart, too. You have two options: don't deescalate, or manually put that route back in after you quit openvpn (possibly in a script.) I have chosen the former, and defaulted the config file to it. If you don't change anything, this is not a problem.


• If you want your DNS to go through the tunnel as well, you probably need to add 172.31.254.1 to your DNS server list. I have the server pushing it as a DHCP option, but for some reason my mac doesn't pick that up. It would be nice to be able to automate the addition/removal of this option with applescript or Automator or something. I have not yet done this, if someone else does that would rule pretty hard.

That's about it, I guess.