[22/05/2015: The content of this post is very very very out of date.]
[17/08/2020: Kext-deprecation note and comment added]
Due to deprecation of kernel extensions in MacOS (10.12 and newer) OpenVPN seems to be defunct on macOS (at least for private servers), please see my comment. I sincerely hope the TunnelBlick development team will take the time and effort to rebuild the client to use the new KPIs in macOS Big Sur, but latest response suggest they have no interest to do so :(
An OpenVPN Client is easy, just download Tunnelblick. But to connect to your own Mac or maybe a server you own or are the maintainer for at work, you will need an OpenVPN Server set-up. This is how you do it.
IMPORTANT NOTE: Jon Bullard (developer of TunnelBlick) has commented that with recent (beta) versions, much of this article is no longer needed. Please read his comment on the bottom of the article before doing all this :)
1. Install TunTap;
Download and install the package. This will allow your system to create virtual network devices. After install open the Terminal and type
sudo kextload /Library/Extensions/tun.kext
sudo kextload /Library/Extensions/tap.kext
2. Install XCODE if you haven’t already.
3. Install MacPorts if you haven’t already (http://macports.org)
4. Install openvpn
sudo port install openvpn2
5. Switch to SuperUser mode. Be careful here, you can ruin a lot.
sudo -s
6. Duplicate the installed files to a more common and safe-from-overwrite location.
cp -r /opt/local/share/doc/openvpn2 /etc/openvpn
cd /etc/openvpn/easy-rsa/2.0
7. Edit the bottom 8 or so lines (of the vars file) to match your setup
nano vars
8. Initialize the PKI (Public Key Infrastructure)
. ./vars
./clean-all
./build-ca
9. Now build a server-key
./build-key-server server
10. And create a key for your first client
./build-key pinocchio
Ofcourse, pinocchio is a sample username.
11. Create some other file I don’t know what it does but apparently is needed (Diffie Hellman parameters);
./build-dh
Certificates are created in the subfolder keys (full path /etc/openvpn/easy-rsa/2.0/keys)
12. Copy the files ca.crt, pinnochio.key and pinnochio.crt to a USB stick or very securely to the client machine. We’ll get to those in a different post.
13. Configure the server. Copy the server configuration file to a suitable location.
cp /etc/openvpn/sample-config-files/server.conf /etc/openvpn/
14 Edit the configuration.
nano /etc/openvpn/server.conf
Change the line
;local a.b.c.d
Change the lines
ca ca.crt
cert server.crt
key server.key
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
And change the line
dh dh1024.pem
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
Change the lines
;user nobody
;group nobody
user nobody
group nobody
And finally, if you want to allow VPN-connected machines to see each other, change the line
;client-to-client
client-to-client
15. Last step; making the server run on boot;
cat > /Library/LaunchDaemons/org.openvpn.plist
and copy/past this into the terminal;
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
<plist version="1.0">
<dict>
<key>Label</key>
<string>org.openvpn</string>
<key>OnDemand</key>
<false/>
<key>Program</key>
<string>/opt/local/sbin/openvpn2</string>
<key>ProgramArguments</key>
<array>
<string>openvpn</string>
<string>--config</string>
<string>/etc/openvpn/server.conf</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>TimeOut</key>
<integer>90</integer>
<key>WorkingDirectory</key>
<string>/etc/openvpn</string>
</dict>
</plist>
Terminate input with CTRL+D
16. Fire up the server
launchctl load -w /Library/LaunchDaemons/org.openvpn.plist
17. Exit Super User mode
exit
next post; setting up the client machine.