Home

OpenVPN / WPAD Mania

Fri, 08/06/2007 - 5:32pm — tumbleweed

I’ve just spent an afternoon tweaking an OpenVPN install, and I thought it would be a good idea to document it here. Not the world’s most interesting post, but it’s my method, and I want to document it.

OpenVPN:

The best solution I found was to have the server on it’s own subnet:

dev tun0
comp-lzo
keepalive 10 120
server 10.20.2.0 255.255.255.0
push "dhcp-option DNS 10.20.1.1"
push "dhcp-option DOMAIN rivera.co.za"
push "route 10.20.1.0 255.255.255.0"
ca /etc/ssl/vpn-cacert.pem
dh /etc/ssl/dh1024.pem
cert /etc/ssl/certs/vpn.rivera.co.za.pem
key /etc/ssl/certs/vpn.rivera.co.za.key.pem

This sets up a Windows-friendly, routed OpenVPN. (TAP32, the windows tap driver, can’t handle arbitrary IP routed VPNs, each link has to have a private /30 network)

Then, the Windows client side:

client
dev tun
dev-node VPN-Connection
proto udp
remote vpn.rivera.co.za 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca cacert.pem
cert winlaptop.pem
key winlaptop.key.pem
ns-cert-type server
comp-lzo
verb 3
pull
keepalive 10 60
explicit-exit-notify 2

This is nice and simple, and has the advantage of pulling a lot of configuration from the server rather than statically storing it on the client.

WPAD:

My network has Proxy Autodetection. While I wanted DNS queries to go through the VPN, I didn’t want web traffic to. (DNS through vpn, is ugly, but necessary for finding private servers).

My solution was: dnsmasq.conf:

dhcp-option=252,"http://ixia.rivera.co.za/wpad.dat"

Apache, default site config snippet:

<Location /wpad.dat>
        ForceType "application/x-ns-proxy-autoconfig"
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/8
        Allow from 10.20.1.0/24
</Location>

And a fallback, in-case the wpad is already cached, this at the top of the wpad:

// VPN:
if (isInNet(myIpAddress(), "10.20.2.0", "255.255.255.0")) return "DIRECT";

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Sat, 09/06/2007 - 3:32am — Proxy Templates » Blog Archive » Proxy Servers June 8, 2007 (not verified)

Pingback

[...] OpenVPN / WPAD Mania My network has Proxy Autodetection. While I wanted DNS queries to go through the VPN, I didn?t want web traffic to. (DNS through vpn, is ugly, but necessary for finding private servers). My solution was: dnsmasq.conf : … [...]

Tue, 08/07/2008 - 4:57pm — Ralf Hildebrandt (not verified)

option 252

Why not use:

push “dhcp-option 252 “http://ixia.rivera.co.za/wpad.dat”

in the openvpn.conf on the server side?

Sun, 13/07/2008 - 4:06pm — tumbleweed

re: option 252

That is true, but how many OSs support that?

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.