I'm trying to setting up ao Open VPN Server on my Mac OS X 10.13, and it is a very frustrating activity, because I don't found any specific guide on internet.
Now I have configured a server with success, but I have several problem in the functionality, but let say that I describe what I did.
MAC PREPARATION
1- I have installed X-code from App Store (already for other project)
2- Then I have installed OpenSSL
Code: Select all
brew install openssl3- I installed OpneVPN
Code: Select all
brew install openvpn4- I downloaded the EasyRSA for me website https://github.com/OpenVPN/easy-rsa/releases
GENERATE THE CERTIFICATES
1- Workin in the easy RSA folder i set up the file vars choosing set_var EASYRSA_KEY_SIZE 2048 and setting the openssl as the downloaded set_var EASYRSA_OPENSSL "/usr/local/Cellar/openssl/1.0.2n/bin/openssl”
2- I generate the following certificates for the server:
Code: Select all
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa build-server-full server nopass
./easyrsa gen-dh
openvpn --genkey --secret pki/ta.key
./easyrsa gen-crlCode: Select all
./easyrsa build-client-full Client nopass
openssl rsa -in Client.key -des3 -out Client.3des.key # to crypt with a pwSERVER
pki/ca.crt
pki/private/ca.key
pki/issued/server.crt
pki/private/server.key
pki/certs_by_serial/dh.pem
pki/reqs/ta.key
pki/certs_by_serial/crl.pem
CLIENT
pki/issued/Client.crt
pki/private/Client.3des.key
pki/ca.crt
pki/reqs/ta.key
SET UP THE SERVER
To start and stop the server on mac OS I decided to use Tunnelblick
1.- I have prepared a Tunnelblick archive as Server.tblk and I filled it with the following files:
- pki/ca.crt
pki/private/ca.key
pki/issued/server.crt
pki/private/server.key
pki/certs_by_serial/dh.pem
pki/reqs/ta.key
pki/certs_by_serial/crl.pem
Code: Select all
dev tun
proto udp
port 1194
ca ca.crt
cert server.crt
key server.key
dh dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OPenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 192.168.100.0 255.255.255.0"
# Set your primary domin name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1"
client-to-client
keepalive 10 120
remote-cert-tls client
tls-version-min 1.2
tls-auth ta.key 0
cipher AES-256-CBC
auth SHA256
# comp-lzo # Deprecated from OpenVPN 2.5
user nobody
group nogroup
persist-key
persist-tun
crl-verify crl.pem
status-version 3
verb 1Code: Select all
client
dev tun
proto udp
remote MY EXTERLAN IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
key-direction 1
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_QbT9nUED5POlw9lG name
cipher AES-256-CBC
auth SHA256
# comp-lzo # Deprecated from OpenVPN 2.5
verb 1
<ca>
-----BEGIN CERTIFICATE-----
# COPY THE CERTIFICATE ca.crt
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
# COPY THE CERTIFICATE Client.crt
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
# COPY THE CERTIFICATE Client.3des.key
-----END RSA PRIVATE KEY-----
</key>
<tls-auth>
# 2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----
# COPY THE CERTIFICATE ta.key
-----END OpenVPN Static key V1-----
</tls-auth>RESULTS
With this settings my iPhone with the app OpneVPN connect the server with IP 10.8.0.2.
But at this point begin the problems.
The first problem is that my PC with Windows 10 dont’connect the VPN with the following error:
Code: Select all
OpenVPN 2.3.18 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Oct 26 2017
Windows version 6.2 (Windows 8 or greater) 64bit
library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Enter Management Password:
WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Control Channel Authentication: tls-auth using INLINE static key file
UDPv4 link local: [undef]
UDPv4 link remote: [AF_INET]93.55.229.40:1194
OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
TLS_ERROR: BIO read tls_read_plaintext error
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failedI suppose that the problem is due to some routing in Mac OS X.
I have tried to do the following:
1- In the file: sudo nano /etc/pf.anchors/customNATRules I added the following:
Code: Select all
nat on en0 from 10.8.0.0/24 to any -> (en0)
pass from {lo0, 10.8.0.0/24} to any keep stateCode: Select all
echo 'net.inet.ip.forwarding=1' | sudo tee -a /etc/sysctl.confCode: Select all
sudo cp /System/Library/LaunchDaemons/com.apple.pfctl.plist /Library/LaunchDaemons/net.mylan.pfctl.plist
sudo sed -i '' 's/com.apple.pfctl/net.mylan.pfctl/' /Library/LaunchDaemons/net.mylan.pfctl.plist
sudo sed -i '' 's/>-f</>-e</' /Library/LaunchDaemons/net.mylan.pfctl.plist
sudo sed -i '' '/pf\.conf/d' /Library/LaunchDaemons/net.mylan.pfctl.plist
sudo launchctl load -w /Library/LaunchDaemons/net.mylan.pfctl.plistBut after that internet and LAN access still non working.
Can someone help me?
many tnx!