The purpose of this document is to lead the users to configure theirs OpenVPN clients to access to a VPN server. We will see how to install and configure the most used OpenVPN’s GUI for Microsoft Windows, Linux, Mac OS X and Windows Mobile for Pocket PC. At the end of the document we will learn to use the OpenVPN’s command line interface. This last possibility is useful, because the openvpn command, which you can execute by using the prompt (Unix Shell or Windows Prompt) accepts the same parameters and has the same behavior regardless from which Operating System you use. In addition, you could use the openvpn command in a script to automatically start the VPN connection.
More precisely, we will see how to access to a VPN server builded with ZeroShell and configured with the default parameters. To obtain an OpenVPN server with the default behavior, you only need, after you have activated Zeroshell on your network, to enable the OpenVPN service by clicking on the Enabled flag in the [VPN]->[OpenVPN] section of the Zeroshell’s web interface. By default, the OpenVPN server of Zeroshell listens on the port 1194/TCP with TLS/SSL encryption and LZO compression enabled. The user authentication well be checked by using username and password credentials, but we will try the X.509 authentication as well.
For further details about the configuration of an OpenVPN server builded with ZeroShell, you can read the “An OpenVPN server using Zeroshell” how-to.
One popular OpenVPN client for OS X is Tunnelblick. Tunnelblick is free and open source. Another client is Viscosity. It has a cost of $9USD with a 30 day trial.
The sections in which this how-to is divided are as follows below. Keep in mind that the first section, which is related to the configuration file of OpenVPN, it is common to the other ones, because the configuration file do not depend on the GUI or Operating System that you use.
Because the large number of parameters you can define either in the configuration file or in the command line, you could configure OpenVPN in many different manners. In any case, to obtain a connection with a Zeroshell VPN server, you only need to define a small number of them in your client’s configuration file. In order to further simplify the configuration of the OpenVPN client, you could download an example of configuration file by clicking on the link OpenVPN Client configuration.The file has comments that explain the meaning of the parameters, but only 2 of them you surely need to change to obtain a VPN connection with Zeroshell:
OpenVPN client configuration for Windows, Linux and Mac OS X The purpose of this document is to lead the users to configure theirs OpenVPN clients to access to a VPN server. We will see how to install and configure the most used OpenVPN’s GUI for Microsoft Windows, Linux, Mac OS X and Windows Mobile for Pocket PC. OpenVPN Server has Client software packages that run on Windows, MAC, Linux, Android, and iOS environments. I know the most common way of connecting to OpenVPN Server on Linux and Windows environments is by using OpenVPN client. But what if you wanted to use NetworkManager and its cli tool – nmcli. OpenVPN with nmcli Requirements. Simple OpenVPN Client Connect to OpenVPN servers with a free, open source and secure client. Additional integration available when connecting to a Pritunl server.
Notice, that you will always have to manually edit the configuration file. This is because the Graphical User Interfaces that we are going to learn do not assist you in the creation and maintenance of the OpenVPN’s configuration. They only help you to connect and disconnect the VPN, and ask for the username and password if they are required.
To install OpenVPN GUI for Windows on a Microsoft Windows XP 32/64 bits, follow the steps below:
C:Program FilesOpenVPNconfig
in which you must copy the files zeroshell.ovpn that contains the OpenVPN configuration and CA.pem that is the X.509 Certification Authority certificate. You can look at the previous section for details on how to obtain these files;
By right-clicking on the OpenVPN icon in the Traybar appears a contextual menu with several useful options: Connect, Disconnect, Show Status, View Log, Edit Config, Proxy Settings. Particularly useful to solve connection problems is the item View Log that allows to know the reason of the failures.
If instead the VPN is connected (the two terminals are green), but you are not able to reach the remote LAN or Internet using the Virtual Private Network, then you should use the ipconfig /all command from the Windows Prompt. Here there is an example of the lines of output about the virtual Ethernet interface:
To be sure that the IP traffic is actually routed across the VPN and hence encrypted, you must check that the IP Address and the Default Gateway assigned to the TAP Virtual Interface belong to the remote LAN you are connected. To better check this condition, you could also use the tracert /d <Remote IP Address> command: if the first hop that is printed belongs to a subnet of the remote LAN then your VPN works fine and the traffic that reaches the remote site is encrypted across Internet.
A Graphical User Interface for OpenVPN on Mac OS X is a package called Tunnelblick. To install this GUI, follow the steps below:
In the case in which there are connection problems, select the item [Details…] to check the OpenVPN’s log messages.
If you want to verify that the IP address that the VPN server has assigned to you, actually belongs to the remote LAN with which you are connected, you have to open a Mac OS X Terminal and at the prompt of the shell type the command:
ifconfig tap0
the result looks like this: /download-game-for-touch-screen.html.
The line that starts with inet show you that the VPN IP address assigned to you is 192.168.250.1 (by default Zeroshell issues IP addresses which belong to the subnet 192.168.250.0/24 with 192.168.250.254 as Default Gateway). To be sure that the IP traffic is actually routed across the VPN and hence encrypted, you must check that the IP Address and the Default Gateway assigned to the TAP Virtual Interface belong to the remote LAN you are connected. To better check this condition, you could also use the traceroute -n <Remote IP Address> command: if the first hop that is printed belongs to a subnet of the remote LAN (192.168.250.254 by default) then your VPN works fine and the traffic that reaches the remote site is encrypted across Internet.
KVpnc is a Linux frontend that is able to manage many type of VPN clients such as: Cisco VPN, IPSec, PPTP, OpenVPN, L2TP. It has also the SmartCard support. Obviously, in this document we will see only the installation and configuration of KVpnc related to OpenVPN. Binary packages of KVpnc exist for many Linux distributions such as the RPM for Suse and Fedora. For Ubuntu and Kubuntu (and other Debian derived distributions), you can easily install KVpnc with OpenVPN by using the commands:
/toyota-camry-2018-service-manual-free-download.html. sudo apt-get install openvpn
sudo apt-get install kvpnc
Notice that, unlike the other GUIs, the packages of KVpnc do not include OpenVPN, but you must install it alone. In order to make this document regardless of the Linux Distribution used, we will build and install KVpnc by compiling the source code, but if a binary package exists for your Linux distribution, you should prefer to use it without waste your time in the building process.
Because KVpnc uses the QT libraries, their presence and their include files are required in the build process. In the next steps, we will assume that the OpenVPN package is already installed. If you are not in this situation, you should read the section Build and install OpenVPN to learn to install OpenVPN.
Now we are ready to install and configure KVpnc by following the steps given bellow:
In this manner, the kvpnc will have the root‘s privileges needed to create the tap0 Virtual Ethernet Interface and add the static routes in the Kernel routing table;
Press [Apply] and then [Ok] on the Profile Manager. After that, save the Zeroshell profile using the [Profile]->[Save Profile…] menu item and close kvpnc interface with [File]->[Quit] menu item;
If you want to verify that the IP address that the VPN server has assigned to you, actually belongs to the remote LAN with which you are connected, you have to open a terminal and at the prompt of the shell type the command:
ifconfig tap0
the result looks like this:
The line that starts with inet show you that the VPN IP address assigned to you is 192.168.250.50 (by default Zeroshell issues IP addresses which belong to the subnet 192.168.250.0/24 with 192.168.250.254 as Default Gateway). To be sure that the IP traffic is actually routed across the VPN and hence encrypted, you must check that the IP Address and the Default Gateway assigned to the TAP Virtual Interface belong to the remote LAN you are connected. To better check this condition, you could also use the traceroute -n <Remote IP Address> command: if the first hop that is printed belongs to a subnet of the remote LAN (192.168.250.254 by default) then your VPN works fine and the traffic that reaches the remote site is encrypted across Internet.
OpenVPN for Pocket PC is still an Alpha release, but it worked fine during the test on Microsoft Windows Mobile v5.0 installed on a PDA i-Mate JASJAR (equivalent to a HTC Universal Qtek 9000). Before seeing how to install and configure this software, notice that you will have to manually modify the OpenVPN configuration file and therefore you should use Microsoft ActiveSync for editing from your Personal Computer. Another solution could be to install on your PPC the Total Commander CE that is a Freeware File Manager for Pocket PC, available at the URL http://www.ghisler.com/pocketpc.htm. This filemanager includes an Editor which allows you to edit the OpenVPN configuration file directly from your Palm Device.
Now, follow the steps below to install OpenVPN for Windows Mobile on your Pocket PC:
If you have connection problems, check the log file Program FilesOpenVPNlogzeroshell.log. Finally, to verify that the traffic is actually routed and encrypted in the VPN you need to perform a traceroute operation at a remote host: if the first hop that is reported belongs to the remote LAN (by default the VPN box has the IP 192.168.250.254), you are sure that the VPN works as you expect. Windows Mobile has not a traceroute utility and therefore you need to install one. A free software to make network debugging is ceNetTools with which you are able to make the traceroute, the ping and whois operations.
If the system you are using has not a Graphical User Interface for OpenVPN, you have to use the OpenVPN’s command line. This can also be used in the case in which you want to automatically start the VPN by using the startup scripts. By typing the command man openvpn from a Unix shell, the OpenVPN’s manual page will be displayed. A great number of parameters are available to directly use in the command line prefixed by two consecutive hyphens (–). The same parameters (not prefixed by –) can also be specified in the configuration file. Except for a few cases, it is better to specify the parameters in a configuration file rather than having them in a too long and heavy to read command line.
This section does not examine the parameters because they are already listed and described in the manual page of OpenVPN, but it only describe how to establish a VPN with a Zeroshell OpenVPN server by using the command line:
For the most operating system in which OpenVPN works, binary packages already compiled exist. Anyway, sometimes, above all for some Linux Distributions, you could need to build OpenVPN by starting with the source code. Below, it is described how to build OpenVPN:
Once installed the lzo libraries and headers, came back to the directory openvpn-2.0.9 and launch again the command
./configure –prefix=/usr
(*) The manner in which the users are authenticated depend on the OpenVPN server configuration. Zeroshell supports a multi-domain authentication system in which you have to configure the authentication source which can be a Kerberos 5 KDC (local, external and trusted) or an external RADIUS server. One of these authentication domains is set to be the default domain. The users of the default domain do not need to specify the username in the form of username@domain (ex. fulvio@example.com). Notice that the domain name is not case sensitive, because if the domain is configured to be a Kerberos V realm, it is automatically converted to uppercase.