====== building and configuring openvpn ======

<note>For OS X Mavericks, see the [[tunnelblick]] page</note>

===== 12/21/2012 =====
  * downloaded source from
    * http://openvpn.net/index.php/open-source/downloads.html
  * tried typical build procedure, but it complained about LZO: ''checking for lzo1x.h... no LZO headers were not found LZO library available from http://www.oberhumer.com/opensource/lzo/ configure: error: Or try ./configure --disable-lzo''
  * downloaded LZO source from mirror shown at http://www.oberhumer.com/opensource/lzo/#download
  * built LZO using typical build procedure, then ran sudo make install
  * typical build procedure now ran on openvpn, but make failed with this:<code>
    socket.c: In function ‘create_socket_udp’: socket.c:613: error: ‘SOL_IP’
    undeclared (first use in this function) socket.c:613: error: (Each undeclared
    identifier is reported only once socket.c:613: error: for each function it
    appears in.) socket.c: In function ‘link_socket_read_udp_posix_recvmsg’:
    socket.c:2242: error: ‘SOL_IP’ undeclared (first use in this function)
    socket.c: In function ‘link_socket_write_udp_posix_sendmsg’: socket.c:2323:
    error: ‘SOL_IP’ undeclared (first use in this function) make[2]: ***
    [socket.o] Error 1 make[1]: *** [all-recursive] Error 1 make: *** [all] Error
    2</code>
  * patched syshead.h similar to the following (actual patch info was from another version of the source) Index:<code diff>
dports/net/openvpn2/files/patch-syshead.h.diff
=================================================================== ---
dports/net/openvpn2/files/patch-syshead.h.diff (revision 0) +++
dports/net/openvpn2/files/patch-syshead.h.diff (revision 0) @@ -0,0 +1,18 @@
+diff -ur syshead.h syshead.h +--- syshead.h   2011-06-23 23:13:39.000000000
-0700 ++++ syshead.h   2011-07-26 14:49:07.000000000 -0700 +@@ -392,6 +392,13
@@ + #endif + + /* ++ * Define a proper IP socket level if not already done.
++ */ ++#ifndef SOL_IP ++#define SOL_IP IPPROTO_IP ++#endif ++ ++/* +  *
Disable ESEC +  */ + #if 0 +</code>
  * reran make, completed successfully, then ran sudo make install
  * nothing further was done at this time to run it, other than looking at the help

====== 12/22/2012 ======
  * downloaded command line tools only from Apple to get gcc (this is since we updated to Lion and didn't want to wait to download a new xcode)
  * built openvpn the same as before
  * tried to set up some configuration files for client and server, but it wouldn't work because apparently we didn't have tun/tap stuff
  * downloaded binaries for tun/tap from http://tuntaposx.sourceforge.net/, even though they didn't list Lion support
  * installed binaries on both laptop and mini
  * set up port forwarding on the router to the mini at port 1194
  * set up successful connection by using easytether on the mobile phone connected to the laptop with wifi disabled
  * however, even though we could do things like ssh and screen sharing to 192.168.3.250, we couldn't access anything else on the network, or even ping the mini at 192.168.3.109 (the actual address of the mini on the lan)

====== 12/27/2012 ======
  * enabled ip forwarding on the mac:<code>
sudo sysctl -w net.inet.ip.forwarding=1
</code>
  * on the server, the proto udp line was changed to proto tcp-server
  * on the client, the proto udp line was changed to proto tcp-client
  * on the router, under Advanced Routing, added a route for 10.8.0.0, 255.255.255.0 to have a gateway of 192.168.3.109
  * the push route command in the server config would not add a route on the client, so we had to add "route 192.168.3.0 255.255.255.0" in the client config file; reviewed routing tables with netstat -nr to verify that 192.168.3.0 showed a route
  * network resources on the server lan are now available to the client
  * changed default port to something else for security
  * set up tunnelblick to start the server automatically at boot, after changing the tunnelblick configuration from private to shared
  * after reboot, the ip forwarding setting didn't stay, so we had to create an /etc/sysctl.conf file with contents of:<code>
net.inet.ip.forwarding=1
</code>

====== finished client configuration file ======
<code>
mode p2p
proto tcp-client
dev tun
#remote <my external IP> 1194
remote <my external IP> <changed to a randomly selected port number here, very high>
ifconfig 10.8.0.2 10.8.0.1
verb 3
secret <path to my secret key file>
comp-lzo

# this route combined with a route for 10.8.0.0 to point to 192.168.3.109 on my
# router allows the vpn client to access all lan resources of the server
route 192.168.3.0 255.255.255.0

# these lines were supposed to make the connection more resistant to failures
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
</code>

====== finished server configuration file ======
<code>
mode p2p
proto tcp-server
dev tun
#port 1194
port <changed to a randomly selected port number here, very high>
ifconfig 10.8.0.1 10.8.0.2
verb 3
secret <path to my secret key file>
comp-lzo

# these lines were supposed to make the connection more resistant to failures
keepalive 10 60
ping-timer-rem
persist-tun
persist-key

# couldn't get this to push the new route to the client, so I am just adding
# the route in the client config file
#push "route 192.168.3.0 255.255.255.0"
</code>