netnerds.net

3Nov/100

HOWTO: Simply Connect Mac OSX to a dd-wrt OpenVPN Server on TCP Port 443

If you find yourself on a really restrictive network but still want to connect to a remote VPN, consider this solution. It allows you to connect a Mac OS X OpenVPN client to an OpenVPN server using a static key. I figured it out using a combination of webistes, including dd-wrt's OpenVPN wiki, OpenVPN's documentation, and tinyapps.org.

This solution can probably be way more automated using tunnelblick, but I'm alright with running a couple scripts (for now) to get my VPN going. Here's what you'll need:

Network
- No web proxy or a proxy that allows persistent connections.

Server
- A Linksys WRT54GL router
- dd-wrt.v24_vpn_generic.bin (follow instructions on the website to flash from scratch.)

Client
- MacOS X Snow Leopard
- OpenVPN v2.1.3
- tuntap_20090913.tar.gz
- lzo 2.02

I downloaded all of these then compiled and installed them myself. Not because I'm leet, but because the network I was on blocked sync and I couldn't use MacPorts. So go download and compile these or use MacPorts.

First thing is first, I changed the subnet on my wireless router. I hate the 192.168 subnet; it's aesthetically unappealing and overused. Now 172.20.0.x is something pretty. Let's go with that.

We will not be using dd-wrt's GUI to enable or configure OpenVPN, but rather startup and firewall scripts in the /tmp directory. I also avoid using the default protocol and port (udp, 1194) and go with tcp port 443.

Here's a step by step

Server
- Generate the static key: openvpn --genkey --secret static.key
- Cat that key and place it in your clipboard
- Open up dd-wrt's admin webpage, and go to Administration -> Commands. Paste the following:

openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
echo "
-----BEGIN OpenVPN Static key V1-----
[Insert your static key  here]
   -----END OpenVPN Static key V1-----
"> /tmp/static.key
ln -s /usr/sbin/openvpn /tmp/myvpn
/tmp/myvpn --dev tap0 --secret /tmp/static.key --comp-lzo --port 443 --proto tcp-server --verb 3 --daemon



- Save that to Startup Scripts
- Next, back in the blank box, we'll place the code for the firewall and NAT:

iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


Client
You will be creating 2 scripts and one key: openvpn.conf, startvpn.sh and secret.key. Place them in ~/Library/openvpn.

For your key, copy/paste your static.key from the dd-wrt router into a file named secret.key. Save the following two scripts as openvpn.conf and startvpn.sh, respectively. Don't forget to make startvpn.sh executable.

#openvpn.conf
remote my.vpn.external.ip
port 443
dev tap0
secret static.key
proto tcp-client
comp-lzo

Now this part is kinda ghetto. I want to route all my traffic through the VPN but I was unable to get route-gateway and redirect-gateway to work inside of openvpn.conf. I decided to save time and just do it through the startup script instead.

kill -9 `ps aux | grep openvpn.conf |grep config| awk '{ print $2 }'`
openvpn2 --config openvpn.conf --script-security 2 &
sleep 3

# Change your vpn server and internal subnet here
vpnserver='my.external.vpn.ip'
vpngw='172.20.0.1'

# If you use DHCP supplied DNS Servers, leave this as true
changedns=true

previousgw=`cat ./gateway 2> /dev/null`
currentgw=`netstat -nr | grep '^default' | awk '{ print $2 }'`

if [ -f ./gateway ]
then
# Set it back to the regular gateway
route delete default
route delete $vpnserver $previousgw
route add default $previousgw
rm ./gateway

echo gateway set back

                if [ $changedns ]; then
                networksetup -setdnsservers Ethernet empty
                networksetup -setdnsservers Airport empty
                echo dns reset
                fi
else
                # Set it to the VPN gw
                route add $vpnserver $currentgw
                sleep 7
                route delete default
                route add default $vpngw
                echo $currentgw > ./gateway

                # Tunnel your DNS Requests too.
                if [ $changdns ]; then
                networksetup -setdnsservers Ethernet $vpngw
                networksetup -setdnsservers Airport  $vpngw
                echo new dns set
                fi
fi

Check out this post on updating client-side DNS servers if you'd like to update all of your adapters instead of the ones most often used (Ethernet and Airport.)

Or something like that... Simple, right? ;)

Posted by: Chrissy   Filed under: Networking, OS X & iDevices, Security Leave a comment
Comments (0) Trackbacks (0)

No comments yet.


Leave a comment


No trackbacks yet.

« SQL Browser Routing Errors and Infrastructure Errors in Event Log – syspolicy_purge_history Modifying Data in an Oracle Database Using ASP.NET and ODP.NET »

About

    We are IT consultants who grew up living and loving life in Cajun Country.

Authors


    Chrissy LeMaire
    View Chrissy LeMaire, BSc. MCITP's profile on LinkedIn


    Brandon Abshire
    View Brandon Abshire, MCDBA's profile on LinkedIn

Categories