first download openvpn (you don't need the windows gui installer but it's faster) http://openvpn.net/index.php/downloads.html ---------------------------------- PART 1 ----------------------------------
after installation (including installing the win32 TAP adapter) create the static key openvpn --genkey --secret static.key
------------------------ client.ovpn ------------------------
remote vpnserverDomainname.com 1194 resolv-retry infinite proto udp dev tun ifconfig 10.8.0.2 10.8.0.1 secret static.key
route 192.168.1.0 255.255.255.0
verb 3
------------------------ server.ovpn ------------------------
proto udp
dev tun ifconfig 10.8.0.1 10.8.0.2 secret static.key
NOTE: having a firewall enabled on a router (e.g. speedtouch 780) can increase ping times from 24 ms to 400 ms!
Enable port forwarding of port 1194 (udp) to the server/client (router/firewalls) to run it first go to the server command prompt c:\program files\openvpn\bin openvpn server.ovpn then at the client computer (same location) openvpn client.ovpn
THE ABSOLUTE KEY TO MAKING IT WORK (PING) IS THE ROUTER CONFIG: On the draytek router -> LAN -> Static Route I setup a rule: 10.8.0.2 / 255.255.255.255 gateway: 192.168.1.33 network: LAN
At a later date (see part 2) I successfully used a more generic rule =p 10.8.0.0 / 255.255.255.0 192.168.1.33 LAN
http://www.draytek.co.uk/support/kb_vigor_staticroute.html
the Router will reroute any traffic intended for 10.8.0.2 to 192.168.1.33 which is anders-ts which is running openvpn with ip address 10.8.0.1 which returns the ping through the tunnel (ping times of around 35+ ms)
TEST by pinging 192.168.1.3 ---------------------------------- PART 2 ----------------------------------
NOW to administer more from the server side...
First we have to setup our keys: vars clean-all build-ca The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command:
. . . pictures at http://openvpn.net/index.php/documentation/howto.html#pki
Note that in the above sequence, most queried parameters were defaulted to the values set in the vars or vars.bat files. The only parameter which must be explicitly entered is the Common Name. In the example above, I used "OpenVPN-CA".
build-key-server server
build-key client1 build-dh
Now we will find our newly-generated keys and certificates in the keys subdirectory. Here is an explanation of the relevant files:
Filename Needed By Purpose Secret ca.crt server + all clients Root CA certificate NO ca.key key signing machine only Root CA key YES dh{n}.pem server only Diffie Hellman parameters NO server.crt server only Server Certificate NO server.key server only Server Key YES client1.crt client1 only Client1 Certificate NO client1.key client1 only Client1 Key YES
The final step in the key generation process is to copy all files to the machines which need them, taking care to copy secret files over a secure channel.
This means moving the keys directory with ca.key, ca.crt, server.crt and dh1024.pem into the bin directory =)
You will also have to copy the ca.key to the client (securely) keys directory
------------------------ client.ovpn ------------------------
client dev tun proto udp remote ts.anders.co.uk 1194 resolv-retry infinite
required line in clients using version 2.0.9 and before to ensure the client...
This will block clients from connecting to any server which lacks the nsCertType=server #designation in its certificate, even if the certificate has been signed by the ca file in the #OpenVPN configuration file.
ns-cert-type server
ca keys/ca.crt cert keys/client1.crt key keys/client1.key
verb 3
As we can see, most of the work is now being done by the server configuration: ------------------------ server.ovpn ------------------------
port 1194 proto udp dev tun
ca keys/ca.crt cert keys/server.crt key keys/server.key dh keys/dh1024.pem
this one command sets up the server on ip address 10.8.0.1
somehow itself on 10.8.0.5 as the DHCP server
and configures clients to use the rest of the addresses (up to .253)
this can be narrowed/changed by reading the documentation on ip pools
server 10.8.0.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
TEST by pinging 192.168.1.3 and ping 192.168.1.30 ---------------------------------- PART 3 ---------------------------------- Now to add DNS (can we get WSS / CRM / RDP to work?)
push "dhcp-option DNS 192.168.1.30" push "dhcp-option DNS 192.168.1.31" push "dhcp-option WINS 192.168.1.30" push "dhcp-option WINS 192.168.1.31"
YES WE CAN! we can now ping computernameIntheRemoteSubnet