Assuming that you have a openVPN server ready to allow vpn connectivity from its clients. It is also assumed that CA Certificate (.pem) is also obtained from a valid CA and signed with the openVPN server.
Because the large number of parameters you can define either in the configuration file or in the command line, you could configure OpenVPN in many different manners. In any case, to obtain a connection with a opnVPN server, you only need to define a small number of them in your client's configuration file. In order to further simplify the configuration of the OpenVPN client, you could use an example of configuration as below:
#============================================================================# # Specify the Hostname or the IP, the port and the protocol (tcp or udp) # # to reach the OpenVPN Server. # # The Hostname can be a dynamic FQDN such as a DynDNS one. # #============================================================================#remote 220.127.116.11 1194 proto udp#============================================================================# # You must specify this parameter if you want the Username and Password # # request to appear. Comment it if you only use X.509 Authentication. # #============================================================================#auth-user-pass#============================================================================# # You need to specify the file which contains the certificate (PEM format) # # of the Certification Authority that signed the OpenVPN server certificate. # # You can export it by clicking the hyperlink CA on the login page of # # ZeroShell. # # Notice that you need to specify this parameter also if you use # # "Password Only" Authentication. # #============================================================================#ca efw-1314722049.pem#============================================================================# # If you want to use the Client X.509 Authentication you must specify # # a client certificate and the related private key in pem format. # # You can merge both in the same file. # #============================================================================#;cert client.pem ;key client.pem#============================================================================# # You should not need to change these settings. # #============================================================================#comp-lzo verb 3 mute 20 resolv-retry infinite nobind client dev tap persist-key persist-tun
- remote zeroshell.example.com 1194
You have to replace zeroshell.example.com with the hostname or the IP address of the OpenVPN server. The Zeroshell's default configuration requires that the OpenVPN service listens on the port 1194/TCP or 1194/udp (depending upon your openVPN configuration) and therefore you must not modify the second parameter (1194).
- ca CA.pem
The ca parameter specify a file (in PEM format), that contains the X.509 Certification Authority with which the server certificate has been signed. If you save the CA's certificate with the name CA.pem in the same directory of the configuration file, the you do not need to change the parameter. Otherwise, you must specify the absolute path of the file.
Keep in mind that certificate of the Certification Authority is required also if you do not use the X.509 client authentication but the "Only Password" authentication (Default in Zeroshell).
Notice, that you will always have to manually edit the configuration file. This is because the Graphical User Interfaces that we are going to learn do not assist you in the creation and maintenance of the OpenVPN's configuration. They only help you to connect and disconnect the VPN, and ask for the username and password if they are required.
To install OpenVPN GUI for Windows on a Microsoft Windows XP 32/64 bits, follow the steps below:
- Download the installer from the URL http://openvpn.se/download.html. Choose he file that contains the GUI and the OpenVPN software already included;
- Start with the installation. Select the default options and confirm the installation of the TAP-Win32 Adapter V8 device (it is a Virtual Ethernet interface used by OpenVPN).
When the Installer has finished to work, the TrayBar contains the VPN icon with two red terminals and the Earth Globe symbol. Such terminals are yellow when OpenVPN is trying to establish the connection and they are green when you are finally connected with the VPN;
- In the Windows Start Menu, click on [Start]->[All Programs]->[OpenVPN]->[OpenVPN configuration file directory]. You will be able to explore the folder:
in which you must copy the files zeroshell.ovpn that contains the OpenVPN configuration and CA.pem that is the X.509 Certification Authority certificate. You can look at the upper section for details on how to obtain these files;
- Edit the file zeroshell.ovpn and replace zeroshell.example.com with the hostname or the IP address of the OpenVPN router;
- At this point, you have finished to install and configure the OpenVPN client and its GUI. With a double-click on the OpenVPN icon in the Tray Bar, you can try to start the VPN connection. A dialog box will appear and request you to type the username and the password to be authenticated. If the authentication step is successfully completed, then the VPN connection will be established and the two yellow terminals will become green.
By right-clicking on the OpenVPN icon in the Traybar appears a contextual menu with several useful options: Connect, Disconnect, Show Status, View Log, Edit Config, Proxy Settings. Particularly useful to solve connection problems is the itemView Log that allows to know the reason of the failures.
If instead the VPN is connected (the two terminals are green), but you are not able to reach the remote LAN or Internet using the Virtual Private Network, then you should use the ipconfig /all command from the Windows Prompt. Here there is an example of the lines of output about the virtual Ethernet interface:
Ethernet adapter Local Area Connection 7: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : TAP-Win32 Adapter V8 Physical Address. . . . . . . . . : 00-FF-AD-63-83-3D Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.250.51 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.250.254 DHCP Server. . . . . . . . . . . .: 192.168.0.0 DNS Servers . . . . . . . . . . . : 192.168.250.254 Lease Obtained. . . . . . . . . . : 16 September 2007 19.51.37 Lease Expires . . . . . . . . . . : 15 September 2008 19.51.37
To be sure that the IP traffic is actually routed across the VPN and hence encrypted, you must check that the IP Address and the Default Gateway assigned to the TAP Virtual Interface belong to the remote LAN you are connected. To better check this condition, you could also use the tracert /d <Remote IP Address> command: if the first hop that i