openvpn

I’ve just spent an afternoon tweaking an OpenVPN install, and I thought it would be a good idea to document it here. Not the world’s most interesting post, but it’s my method, and I want to document it.

OpenVPN:

The best solution I found was to have the server on it’s own subnet:

dev tun0

comp-lzo

keepalive 10 120

server 10.20.2.0 255.255.255.0

push "dhcp-option DNS 10.20.1.1"

push "dhcp-option DOMAIN rivera.co.za"

push "route 10.20.1.0 255.255.255.0"

ca /etc/ssl/vpn-cacert.pem

dh /etc/ssl/dh1024.pem

cert /etc/ssl/certs/vpn.rivera.co.za.pem

key /etc/ssl/certs/vpn.rivera.co.za.key.pem

This sets up a Windows-friendly, routed OpenVPN. (TAP32, the windows tap driver, can’t handle arbitrary IP routed VPNs, each link has to have a private /30 network)

Then, the Windows client side:

client

dev tun

dev-node VPN-Connection

proto udp

remote vpn.rivera.co.za 1194

resolv-retry infinite

nobind

persist-key

persist-tun

mute-replay-warnings

ca cacert.pem

cert winlaptop.pem

key winlaptop.key.pem

ns-cert-type server

comp-lzo

verb 3

pull

keepalive 10 60

explicit-exit-notify 2

This is nice and simple, and has the advantage of pulling a lot of configuration from the server rather than statically storing it on the client.

WPAD:

My network has Proxy Autodetection. While I wanted DNS queries to go through the VPN, I didn’t want web traffic to. (DNS through vpn, is ugly, but necessary for finding private servers).

My solution was: dnsmasq.conf:

dhcp-option=252,"http://ixia.rivera.co.za/wpad.dat"

Apache, default site config snippet:

<Location /wpad.dat>

        ForceType "application/x-ns-proxy-autoconfig"

        Order deny,allow

        Deny from all

        Allow from 127.0.0.0/8

        Allow from 10.20.1.0/24

</Location>

And a fallback, in-case the wpad is already cached, this at the top of the wpad:

// VPN:

if (isInNet(myIpAddress(), "10.20.2.0", "255.255.255.0")) return "DIRECT";

Navigation

OpenVPN / WPAD Mania

OpenVPN:

WPAD: