How To Set Up A VPN Server On Your Mac and Access Everything Remotely With An iPhone By Federico Viticci Last weekend I decided that I wanted to try to set up a VPN server on my MacBook Pro running Snow Leopard 10.6.6.
If you want more than just pre-shared keys OpenVPN makes it easy to setup and use a Public Key Infrastructure (PKI) to use SSL/TLS certificates for authentication and key exchange between the VPN server and clients. OpenVPN can be used in a routed or bridged VPN mode and can be configured to use either UDP or TCP. The port number can be configured as well, but port 1194 is the official one. And it is only using that single port for all communication. VPN client implementations are available for almost anything including all Linux distributions, OS X, Windows and OpenWRT based WLAN routers.
a separate certificate (also known as a public key) and private key for the server and each client, and. a master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates.
OpenVPN supports bidirectional authentication based on certificates, meaning that the client must authenticate the server certificate and the server must authenticate the client certificate before mutual trust is established. Both server and client will authenticate the other by first verifying that the presented certificate was signed by the master certificate authority (CA), and then by testing information in the now-authenticated certificate header, such as the certificate common name or certificate type (client or server).
Ubuntu@testopenvpn-server:$ sudo systemctl start openvpn@server ubuntu@testopenvpn-server:$ sudo systemctl status openvpn@server. Ubuntu@testopenvpn-client:$ sudo systemctl start openvpn@client ubuntu@testopenvpn-client:$ sudo systemctl status openvpn@client. Check your journal, e.g. Journalctl -identifier ovpn-server (for server.conf). Check that you have specified the keyfile names correctly in client.conf and server.conf. Can the client connect to the server machine? Maybe a firewall is blocking access?
Check journal on server. Client and server must use same protocol and port, e.g. UDP port 1194, see port and proto config option. Client and server must use same config regarding compression, see comp-lzo config option. Client and server must use same config regarding bridged vs routed mode, see server vs server-bridge config option.
The above is a very simple working VPN. The client can access services on the VPN server machine through an encrypted tunnel. If you want to reach more servers or anything in other networks, push some routes to the clients. If your company's network can be summarized to the network 192.168.0.0/16, you could push this route to the clients.
But you will also have to change the routing for the way back - your servers need to know a route to the VPN client-network. Or you might push a default gateway to all the clients to send all their internet traffic to the VPN gateway first and from there via the company firewall into the internet. This section shows you some possible options. Push routes to the client to allow it to reach other private subnets behind the server. Remember that these private subnets will also need to know to route the OpenVPN client address pool (10.8.0.0/24) back to the OpenVPN server. OpenVPN can be setup for either a routed or a bridged VPN mode. Sometimes this is also referred to as OSI layer-2 versus layer-3 VPN.
In a bridged VPN all layer-2 frames - e.g. All ethernet frames - are sent to the VPN partners and in a routed VPN only layer-3 packets are sent to VPN partners. In bridged mode all traffic including traffic which was traditionally LAN-local like local network broadcasts, DHCP requests, ARP requests etc. Are sent to VPN partners whereas in routed mode this would be filtered. $ cat /etc/netplan/01-netcfg.yaml # This file describes the network interfaces available on your system # For more information, see netplan(5). Network: version: 2 renderer: networkd ethernets: enp0s31f6: dhcp4: no bridges: br0: interfaces: enp0s31f6 dhcp4: no addresses: 10.0.1.100/24 gateway4: 10.0.1.1 nameservers: addresses: 10.0.1.1 Static IP addressing is highly suggested.
DHCP addressing can also work, but you will still have to encode a static address in the OpenVPN configuration file. The next step on the server is to configure the ethernet device for promiscuous mode on boot. To do this, ensure the networkd-dispatcher package is installed and create the following configuration script. Root@client:# apt install network-manager-openvpn Reading package lists. Done Building dependency tree Reading state information. Done The following extra packages will be installed: liblzo2-2 libpkcs11-helper1 network-manager-openvpn-gnome openvpn Suggested packages: resolvconf The following NEW packages will be installed: liblzo2-2 libpkcs11-helper1 network-manager-openvpn network-manager-openvpn-gnome openvpn 0 upgraded, 5 newly installed, 0 to remove and 631 not upgraded. Need to get 700 kB of archives.
After this operation, 3,031 kB of additional disk space will be used. Do you want to continue Y/n? To inform network-manager about the new installed packages you will have to restart it. Root@client:# restart network-manager network-manager start/running, process 3078 Open the Network Manager GUI, select the VPN tab and then the 'Add' button.
Select OpenVPN as the VPN type in the opening requester and press 'Create'. In the next window add the OpenVPN's server name as the 'Gateway', set 'Type' to 'Certificates (TLS)', point 'User Certificate' to your user certificate, 'CA Certificate' to your CA certificate and 'Private Key' to your private key file. Use the advanced button to enable compression (e.g. Comp-lzo), dev tap, or other special settings you set on the server. Now try to establish your VPN.
First download and install the latest. OpenVPN 2.3.2 was the latest when this was written. As of this writing, the management GUI is included with the Windows binary installer. You need to start the OpenVPN service. Goto Start Computer Manage Services and Applications Services. Find the OpenVPN service and start it.
Set it's startup type to automatic. When you start the OpenVPN MI GUI the first time you need to run it as an administrator.
You have to right click on it and you will see that option. You will have to write your OpenVPN config in a textfile and place it in C: Program Files OpenVPN config client.ovpn along with the CA certificate. You could put the user certificate in the user's home directory like in the follwing example.
Streisand sets up a new server running L2TP/IPsec, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, a Tor bridge, and WireGuard. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists. The problem with Streisand though is the install is amazingly complicated using ansible from your local system to a cloud provider using API calls and if you are not in a shop that uses this technology it can be difficult to get working correctly Method 1 Below script is an automated bash script to enable streisand vpn server to your traditional VPS Method 2 Installing Streisand from Mac OS to Ubuntu 16.04 VPS. I will be executing the ansible playbook from my Mac OS Sierra (with homebrew) Install git brew install git Install pip sudo easyinstall pip sudo pip install pycurl Homebrew library fix /Library/Python/2.7/lib/python/site-packages echo '/usr/local/lib/python2.7/site-packages' /Library/Python/2.7/lib/python/site-packages/homebrew.pth Install Ansible (via pip) sudo pip install ansible markupsafe Clone the Streisand repository and enter the directory. Git clone && cd streisand Edit the inventory file and uncomment the final two lines. Replace the sample IP with the address (or addresses) of the servers you wish to configure.