Set-up an OpenVPN Server on your Mac

[22/05/2015: The content of this post is very very very out of date.]

An OpenVPN Client is easy, just download Tunnelblick. But to connect to your own Mac or maybe a server you own or are the maintainer for at work, you will need an OpenVPN Server set-up. This is how you do it.

IMPORTANT NOTE: Jon Bullard (developer of TunnelBlick) has commented that with recent (beta) versions, much of this article is no longer needed. Please read his comment on the bottom of the article before doing all this :)

1. Install TunTap;

Download and install the package. This will allow your system to create virtual network devices. After install open the Terminal and type

Shell commandsudo kextload /Library/Extensions/tun.kext
sudo kextload /Library/Extensions/tap.kext

2. Install XCODE if you haven’t already.

3. Install MacPorts if you haven’t already (http://macports.org)

4. Install openvpn

Shell commandsudo port install openvpn2

5. Switch to SuperUser mode. Be careful here, you can ruin a lot.

Shell commandsudo -s

6. Duplicate the installed files to a more common and safe-from-overwrite location.

Shell commandcp -r /opt/local/share/doc/openvpn2 /etc/openvpn
cd /etc/openvpn/easy-rsa/2.0

7. Edit the bottom 8 or so lines (of the vars file) to match your setup

Shell commandnano vars

8. Initialize the PKI (Public Key Infrastructure)

Shell-Script. ./vars
./clean-all
./build-ca

9. Now build a server-key

Shell command./build-key-server server

10. And create a key for your first client

Shell command./build-key pinocchio

Ofcourse, pinocchio is a sample username.

11. Create some other file I don’t know what it does but apparently is needed (Diffie Hellman parameters);

Shell command./build-dh

Certificates are created in the subfolder keys (full path /etc/openvpn/easy-rsa/2.0/keys)

12. Copy the files ca.crt, pinnochio.key and pinnochio.crt to a USB stick or very securely to the client machine. We’ll get to those in a different post.

13. Configure the server. Copy the server configuration file to a suitable location.

Shell commandcp /etc/openvpn/sample-config-files/server.conf /etc/openvpn/

14 Edit the configuration.

Shell commandnano /etc/openvpn/server.conf

Change the line

;local a.b.c.d
if you want to specify a certain IP-address the VPN server must respond to. Useful if you have multiple IP-addresses on your server and only a few are allowed to be used for VPN.

Change the lines

Editor contentca ca.crt
cert server.crt
key server.key
to match your set-up;
Editor contentca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key

And change the line

Editor contentdh dh1024.pem
to 
Editor contentdh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem

Change the lines 

Editor content;user nobody
;group nobody
to 
Editor contentuser nobody
group nobody

And finally, if you want to allow VPN-connected machines to see each other, change the line

Editor content;client-to-client
to
Editor contentclient-to-client

15. Last step; making the server run on boot;

Shell commandcat > /Library/LaunchDaemons/org.openvpn.plist

and copy/past this into the terminal;

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
<plist version="1.0">
<dict>
<key>Label</key>
<string>org.openvpn</string>
<key>OnDemand</key>
<false/>
<key>Program</key>
<string>/opt/local/sbin/openvpn2</string>
<key>ProgramArguments</key>
<array>
<string>openvpn</string>
<string>--config</string>
<string>/etc/openvpn/server.conf</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>TimeOut</key>
<integer>90</integer>
<key>WorkingDirectory</key>
<string>/etc/openvpn</string>
</dict>
</plist>

Terminate input with CTRL+D

16. Fire up the server

Shell commandlaunchctl load -w /Library/LaunchDaemons/org.openvpn.plist

17. Exit Super User mode

Shell commandexit

next post; setting up the client machine.

Author: Remon Pel

WebDeveloper though not WebDesigner

7 thoughts on “Set-up an OpenVPN Server on your Mac”

  1. I’m the Tunnelblick developer. Thanks for this article — it is an easy step-by-step guide.

    However, recent beta versions of Tunnelblick make much of this unnecessary.

    Steps 1-5 can be skipped, because Tunnelblick includes tun/tap drivers and easy-rsa. (easy-rsa is accessed via the “Utilities” tab in Tunnelblick’s “VPN Details…” window.)

    In step 14, I recommend leaving “;user nobody” and “;group nobody” lines intact. They can (even when using the “openvpn-down-root” plugin) cause problems if transmission errors make it necessary for OpenVPN to restart a connection to the server and routing is done by OpenVPN (which is often the case).

    Instead of steps 15-17, just set up Tunnelblick to start the configuration “When computer starts”. (Note that it must be a shared configuration, and that shared configurations must be “Tunnelblick VPN Configurations”, which package together the configuration file and key and certificate files. See Creating and Installing a Tunnelblick VPN Configuration for details.

Leave a Reply

Your email address will not be published. Required fields are marked *