Index.
- Introduction.
- Create certificate and keys.
- Install OpenVPN GUI.
Introduction.
In the OpenVPN bridge article you could see how to setup the server side. Now we show the client side on Windows 7. We use the old OpenVPN GUI but a new more official client will be available later, see this page for the actual status. Download this GUI from the official OpenVPN download page, it’s in the latest Windows installer.
One of the problems with the old GUI is that if you edit the configuration using the internal editor on Windows 7 or Vista, you cannot save the changes because you have no administrator rights. In roder to do so you need to start the GUI as Administrator. To do this, right click the GUI icons,, then run as Administrator. You may need to exit the taskbar icon first. For normal use, you don’t need to run as Administrator.
Create certificates and keys.
Using your certificates setup generate certificates for the Windows machine. Use the “normal” scripts, not the “openvpn” scripts because the openvpn scripts are for the server only. After you signed the certificate, copy request.cert as laptop.pem and request.key as laptop.key to a USB stick. From the home server, copy /etc/openvpn/homsrv/ta.key as ta-wpl.key to the USB stick. Copy /etc/certs/ca-wpl.pem to the USB stick. Add the following configuration file as homsrv.ovpn to the USB stick:
############################################## # client-side OpenVPN 2.0 config file for # # connecting to mbse.eu server network. # ############################################## script-security 2 # Specify that we are a client and that we # will be pulling certain config file directives # from the server. client # Use the same setting as you are using on # the server. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. dev tap # Windows needs the TAP-Win32 adapter name # from the Network Connections panel # if you have more than one. On XP SP2, # you may need to disable the firewall # for the TAP adapter. dev-node "Local Area Connection 2" # Are we connecting to a TCP or # UDP server? Use the same setting as # on the server. proto udp # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote vpn.wpl.uk 1194 # Choose a random host from the remote # list for load-balancing. Otherwise # try hosts in the order specified. ;remote-random # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite # Most clients don't need to bind to # a specific local port number. nobind # Try to preserve some state across restarts. persist-key persist-tun # If you are connecting through an # HTTP proxy to reach the actual OpenVPN # server, put the proxy server/IP and # port number here. See the man page # if your proxy server requires # authentication. ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. ;mute-replay-warnings # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca wpl-ca.pem cert laptop.pem key laptop.key # Verify server certificate by checking # that the certicate has the nsCertType # field set to "server". This is an # important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the nsCertType # field set to "server". The build-key-server # script in the easy-rsa folder will do this. ns-cert-type server # If a tls-auth key is used on the server # then every client must also have the key. tls-auth ta-wpl.key 1 # Select a cryptographic cipher. # If the cipher option is used on the server # then you must also specify it here. cipher DES-EDE3-CBC # Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. comp-lzo # Set log file verbosity. verb 3 # Silence repeating messages mute 20
This homsrv.ovpn file should be DOS formatted. You can use dos2unix to convert a Linux written config to DOS format.
Install OpenVPN GUI.
On the laptop, install the OpenVPN GUI. The files on the USB stick must then be copied to C:\Program Files\OpenVPN\config. After you start the OpenVPN GUI you can control the connection with the icon in the taskbar. If all goes well, after you connect you should have got a IPv4 and IPv6 address from your Home Server. Remember that the server works in bridge mode, so both IPv4 and IPv6 dhcp servers of your Home Server provide addresses and other data to our Windows client. Note that a standard XP client only gets a IPv4 address.
I noticed one thing, if you already got a IPv6 address before you started OpenVPN, Windows keeps using that IPv6 address, even while it got a new address from our Home Server. I don’t know if this is caused by Windows or OpenVPN that is not yet full IPv6 aware. If you original only started with a IPv4 address (in most cases that is true), the IPv6 connection will routed via your Home Server as it should be. I have seen this with OpenVPN versions 2.1.3 and 2.2.1.