[22/05/2015: The content of this post is very very very out of date.]
[17/08/2020: Kext-deprecation note and comment added]
Due to deprecation of kernel extensions in MacOS (10.12 and newer) OpenVPN seems to be defunct on macOS (at least for private servers), please see my comment. I sincerely hope the TunnelBlick development team will take the time and effort to rebuild the client to use the new KPIs in macOS Big Sur, but latest response suggest they have no interest to do so :(
An OpenVPN Client is easy, just download Tunnelblick. But to connect to your own Mac or maybe a server you own or are the maintainer for at work, you will need an OpenVPN Server set-up. This is how you do it.
IMPORTANT NOTE: Jon Bullard (developer of TunnelBlick) has commented that with recent (beta) versions, much of this article is no longer needed. Please read his comment on the bottom of the article before doing all this :)
1. Install TunTap;
Download and install the package. This will allow your system to create virtual network devices. After install open the Terminal and type
sudo kextload /Library/Extensions/tun.kext
sudo kextload /Library/Extensions/tap.kext2. Install XCODE if you haven’t already.
3. Install MacPorts if you haven’t already (http://macports.org)
4. Install openvpn
sudo port install openvpn25. Switch to SuperUser mode. Be careful here, you can ruin a lot.
sudo -s6. Duplicate the installed files to a more common and safe-from-overwrite location.
cp -r /opt/local/share/doc/openvpn2 /etc/openvpn
cd /etc/openvpn/easy-rsa/2.07. Edit the bottom 8 or so lines (of the vars file) to match your setup
nano vars8. Initialize the PKI (Public Key Infrastructure)
. ./vars
./clean-all
./build-ca9. Now build a server-key
./build-key-server server10. And create a key for your first client
./build-key pinocchioOfcourse, pinocchio is a sample username.
11. Create some other file I don’t know what it does but apparently is needed (Diffie Hellman parameters);
./build-dhCertificates are created in the subfolder keys (full path /etc/openvpn/easy-rsa/2.0/keys)
12. Copy the files ca.crt, pinnochio.key and pinnochio.crt to a USB stick or very securely to the client machine. We’ll get to those in a different post.
13. Configure the server. Copy the server configuration file to a suitable location.
cp /etc/openvpn/sample-config-files/server.conf /etc/openvpn/14 Edit the configuration.
nano /etc/openvpn/server.confChange the line
;local a.b.c.dChange the lines
ca ca.crt
cert server.crt
key server.keyca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.keyAnd change the line
dh dh1024.pemdh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pemChange the lines
;user nobody
;group nobodyuser nobody
group nobodyAnd finally, if you want to allow VPN-connected machines to see each other, change the line
;client-to-clientclient-to-client15. Last step; making the server run on boot;
cat > /Library/LaunchDaemons/org.openvpn.plistand copy/past this into the terminal;
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
<plist version="1.0">
<dict>
<key>Label</key>
<string>org.openvpn</string>
<key>OnDemand</key>
<false/>
<key>Program</key>
<string>/opt/local/sbin/openvpn2</string>
<key>ProgramArguments</key>
<array>
<string>openvpn</string>
<string>--config</string>
<string>/etc/openvpn/server.conf</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>TimeOut</key>
<integer>90</integer>
<key>WorkingDirectory</key>
<string>/etc/openvpn</string>
</dict>
</plist>
Terminate input with CTRL+D
16. Fire up the server
launchctl load -w /Library/LaunchDaemons/org.openvpn.plist17. Exit Super User mode
exitnext post; setting up the client machine.