So yesterday I discovered that OpenVPN will happily tunnel over a SOCKS proxy, and proceeded to set it up to connect between my (Mac) laptop and my Mac server at home. Here's how to get it working with, I think, any combination of Windows, *nix, or OS X.
1. Use dyndns.com or some other dynamic DNS service to attach your home IP. (See
http://www.dyndns.com/services/dns/dyndns/.) Make sure that your DSL modem/cable modem/home router is allowing through port 1194 (TCP) to the machine you're going to be using as a server.
2a. If you're on OS X, you need to install the TUN/TAP drivers. The easiest way to get these is by downloading
tunnelblick and running it once; it will install tun.kext and tap.kext in /Library/Extensions. If you're feeling particular, you can use Show Package Contents on the tunnelblick app, and copy the kext files to /Library/Extensions from the Contents/Resources/ directory in the app package.
2b. If you're on Linux, you might need to load the TUN module, use "sudo modprobe tun".
3. Install OpenVPN 2.x on the client.
A. On a Mac, the easiest way is to use
MacPorts. You can just run "sudo port install openvpn2" in a Terminal. There's also a GUI called
Viscosity that works really well, but costs $9, and a free one called
tunnelblick that I haven't tried.
B. On Windows, there's a
GUI, or
command-line version.
C. On Linux/BSD, use your package manager of choice. Just make sure you get version 2.x.
4. Install OpenVPN on the server; the install process is the same as for the client.
5. Generate SSL certificates for security. There's an OpenVPN
HOWTO that has good directions for Windows and most *nix distributions. If you installed OpenVPN using MacPorts, the scripts referenced in the HOWTO will be in /opt/local//share/doc/openvpn2/easy-rsa. Follow the HOWTO through building both the client (./build-key client) and server (./build-key-server server) certificates as well as the Diffie-Hellman file (./build-dh) At the end, you should have six files:
- dh1024.pem
- server.crt
- server.key
- client.crt
- client.key
- ca.crt
- ca.key
Make a directory on your laptop for holding the client certificates (this directory can be anywhere) and put a copy of ca.crt, client.crt, and client.key in it.
Make a directory on the server for holding the server certificates, and put a copy of ca.crt, server.crt, server.key in it.
6. Configure the server. This is a little tricky, because it's easy to allow the client to connect to the server, but getting from there out to the internet requires some fanciness.
First, create a configuration file for openvpn; just paste the following into a text file on the server (call it server.conf or something). Change the paths as appropriate.
Code:
port 1194
proto tcp
dev tun
ca [B]/path/to/ca.crt[/B]
cert [B]/path/to/server.crt[/B]
key [B]/path/to/server.key[/B]
dh [B]/path/to/dh1024.pem[/B]
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS [B]208.67.222.222[/B]" # this is OpenDNS; change if you want
keepalive 10 120
comp-lzo
persist-key
persist-tun
A. On Mac OS X: You're basically enabling Internet Sharing, but without the DHCP server. Do this by opening Terminal and running:
Code:
sudo sysctl -w net.inet.ip.fw.enable=1 # enable the firewall
sudo sysctl -w net.inet.ip.forwarding=1 # enable IP forwarding
sudo natd -n en0 -dynamic -clamp_mss # enable network sharing
B. On BSDs, do the same thing as on a Mac (you might need to install NATD).
C. On Linux (Ubuntu, anyway), the firewall/NAT are rolled into one:
Code:
sudo sysctl -w net.ipv4.ip_forward # enable IP forwarding
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE # enable network sharing
D. On Windows, you have to make a couple of changes to server.conf. Change the "server 10.8.0.0 255.255.255.0" line to read "server 192.168.0.0 255.255.255.0" and the line "dev tun" to read "dev tap". Then follow the directions
here to enable Internet Connection Sharing (stop reading when he gets to the part about the configuration files.)
7. Start OpenVPN on the server. From the command line, run:
Code:
openvpn2 [B]/path/to/server.conf[/B]
8. Configure OpenVPN on the client by creating a configuration file (call it client.conf) containing the following:
Code:
persist-key
tls-client
remote www.aradine.com 1194
proto tcp-client
port 1194
ca [B]/path/to/ca.crt[/B]
cert [B]/path/to/client.crt[/B]
key [B]/path/to/client.key[/B]
redirect-gateway def1
dev tun
persist-tun
comp-lzo
nobind
socks-proxy localhost 1080
pull
9. Enable USB debugging on your phone, start the SOCKS proxy in Tetherbot, and then start up Android tethering and run OpenVPN on the client by opening a terminal and running:
Code:
[B]/path/to/AndroidSDK[/B]/tools/adb forward tcp:1080 tcp:1080
openvpn2 [B]/path/to/client.conf[/B]
.
10. Browse internet, use IM, whatever. No extra configuration needed. To kill OpenVPN, just hit Ctrl-C in the window where you ran it. If you don't reboot your server, you can reconnect over and over again.
Good luck!
Side bonus - access to your home network from anywhere; if you remove the "socks-proxy" line from client.conf, you can connect when you're not using Android tethering.