Seamless Tech Support for Nan and Grandad - Setting up a VPN to my parent's home network (for Mac OS X)

Submitted by fred on Mon, 01/25/2010 - 19:40

I've been using screen sharing to help guide my parents into the digital age. It is wonderful to be able to virtually look over their shoulders and show them how they can use their email, etc. I was using LogMeIn to help them, but now their home network has grown to include a small backup server, a Vonage router, and wireless networking I wanted better access to, occasionally give these devices a virtual kick in the pants. So I set up a VPN server.

It's wonderful. Click on a menu and I'm in and able to guide and or troubleshoot to my heart's content.

For those wanting to do a similar set up here are the steps (and links) to get you there:

Get a Router and install Linux OS

  1. Buy a cheap router that'll do Linux firmware and offer a VPN server. Best current deal (~$38 with rebate) is the Asus WL-520G.
  2. The best source of help I've found is on the linksysinfo.org site, specifically here. Sign up for a free account if you need to download files from them.
  3. Download Tomato/VPN Firmware from here. (If you are the engineer type that loves to tinker you can do DD-WRT, I prefer something that just works).
  4. Get a Windoze OS running on VirtualBox (free) and follow these instructions to install it on your new router (note : use my link above to download Tomato because it include the OpenVPN software).

Configure the Router

  1. Though not critical you'll want to set up a different subnet from your own, for the remote network. My home network is 192.168.1.x and my parents' is 192.168.15.x.
  2. Configure the admin to allow ssh, remote access and set your ports (for better security). You'll also want to turn on logging.
  3. Set up a dyndns.org account, so you can always get access to your router via a consistent URL. Set it up in the router via Basic/DDNS.
  4. Now you'll need to set up VPN authorization and security. Many post out there suggest setting up static keys, which is fine if you trust you'll always have your home computer working when you want access (I and my computer's gremlins know better). I opted for a more robust Certificate Authority set up. It really is not difficult. Just follow these instructions to get your keys all set up in a folder on your local computer.
  5. In the flashed router, you should now have the red and white Tomato interface. On the left side you should see a menu. One option is VPN Tunneling, with sub options for Server and Client.

This is what my Server1/Basic tab looks like:

This is what my Server1/Advanced tab looks like:

And this is what my Server1/Keys tab looks like:

The trick is to copy and paste the right stuff in to the four different fields. You need two .crt files, one .key file and one .pem file (it should be self explanatory).

Reboot the router. Check your logs and you should be set to access your VPN server from outside the network.

Set up Tunnelblick and Screen Sharing Menulet

  1. For easy access to an OpenVPN server via Mac OS X there are two flavors of GUI software to try out. I'm using the free Tunnelblick which suits me fine for my purposes. There is also the shareware Viscocity, which has a really nice(r) interface. Tunnelblick requires that you do the configuration via a (non gui) text file.
  2. The config file goes into ~/Library/Application Support/Tunnelblick/Configurations, along with the client keys and local crt file. Whatever you name this file will show up in the Tunnelblick menu - "Connect 'myfilesname'". Here's what my config file looks like:

     
		##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote NAME_OF_REMOTE_DOMAIN 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert client1.crt
key client1.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20
  3. Try making a connection using the Details option in the Tunnelblick menu and you'll see the log and status of the connection. You can also test your connection by pinging any device on the remote network that'll repond. FYI you can use Tomato to wake up any computer that has Wake On LAN enabled (all Macs with Ethernet connections can do this - some of the newer Macs can do this wirelessly, some can't (Google 'WWOL OS X')) by choosing Tools/WOL.
  4. The last thing I want to have to bother with is manually choosing my screen to share (I didn't bother trying to get Bonjour to work). I simply downloaded the nifty ScreenSharingMenulet application, which puts a little chooser menu icon in your Finder's menu bar.
  5. I configured System Preferences/Accounts login items to include both Tunnelblick and ScreenSharingMenulet and it works really, really well.

I know this has not been the most detailed blog, but I hope it helps someone!

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Each email address will be obfuscated in a human readable fashion or (if JavaScript is enabled) replaced with a spamproof clickable link.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.
By submitting this form, you accept the Mollom privacy policy.