Maybe your customer’s ISP blocks PPTP. Maybe your customer’s firewall doesn’t forward PPTP properly. Maybe you would prefer not to install an IPSEC VPN client on your workstations, especially one that requires expensive licensing.

OpenVPN may be a good option for you.

I experimented with this today, using its most basic form. It wasn’t difficult to set up, and does the job well enough. You can run a VPN over a UDP or TCP port, which you can easily forward through most firewalls without having to worry about PPTP/GRE compatibility issues.

I tested it on Windows Server 2003 with an XP client. Both were 32-bit. However, it claims to work on 64-bit Vista, so should work on SBS2008 as well.

1.       Download the software from here (command-line only) or here (GUI version). The first one is entirely command-line. The second one includes an icon in the system tray to control the VPN.

2.       Install the app on both the server and the client computer.

3.       Generate a static key by typing the following at a command prompt: openvpn –genkey –secret “c:\program files\openvpn\config\static.key “

This puts a file called static.key in the config folder. You can, of course, go for a more complicated config with dynamic keys, but for the purposes of my initial test, I went with a static key. Copy this key to the c:\program files\openvpn\config folder on both the client and the server.

4.       Create a text file called vpnserver.ovpn in the c:\program files\openvpn\config folder, and populate it with the following:

dev tun
ifconfig 10.8.0.1 10.8.0.2
secret static.key

In this example, 10.8.0.1 will be the IP address the server will use, and 10.8.0.2 will be the IP address of the client side of the VPN.

5.       Create a text file called vpnclient.ovpn in the c:\program files\openvpn\config folder, and populate it with the following:

Remote 1.2.3.4

dev tun
ifconfig 10.8.0.2 10.8.0.1
secret static.key

In this example, 1.2.3.4 is the external IP address of the NAT device that will forward the traffic to  the OpenVPN server. You can use an FQDN here if you want.

Note that the IP addresses are reversed in the “ifconfig” line.

6.       Configure the NAT device to forward UDP port 1194 (configurable) to the OpenVPN server and make sure the server’s default gateway is set to the inside of the NAT device. (UDP 1194 is the default, but you can use another if you like.)

7.       At a command prompt on the server, execute “openvpn vpnserver.ovpn” or use the GUI icon in the system tray to start the VPN server.

8.       At a command prompt on the client, execute “openvpn vpnclient.ovpn” or use the GUI icon in the system tray to start the VPN client.

The two should now connect to each other.

This is the simplest implementation of this VPN software. It can also open the entire local subnet of the OpenVPN server to the client (I tested this). You can set up dynamic keys, user accounts, etc with the more advanced options.

Links:

The Main How-To.

The Mini-How-To for the basic configuration I described above.

The MS KB Article to enable IP forwarding in order to open up the VPN to allow the client to use the entire subnet. 

Tags: OpenVPN