├── LICENSE
├── README.md
├── images
    ├── OpenVPN_iPad.PNG
    ├── Tunnelblick Advanced Settings.png
    └── Tunnelblick Settings.png
├── openvpn-client-tun.ovpn
├── openvpn-server-tun.tblk
    └── config.ovpn
├── pf.conf
├── readme-and-install.sh
├── sysctl.conf
└── vars


/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2014 essandess
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 
23 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | macos-openvpn-server
 2 | ==================
 3 | 
 4 | # macOS OpenVPN Server and Client Configuration
 5 | 
 6 | This repo describes how to build an OpenVPN VPN server on macOS using pfctl and [Tunnelblick](../../../../Tunnelblick/Tunnelblick).
 7 | 
 8 | This configuration provides a TLS-based VPN server using EC ed25519 certificates and UDP port 443, accessible by any OpenVPN client, especially iOS with the OpenVPN app.
 9 | 
10 | ![OpenVPN iPad](images/OpenVPN_iPad.PNG)
11 | 
12 | ## Installation and Configuration Notes
13 | * Configuration for `openvpn` version 2.5 and [easy-rsa](../../../../OpenVPN/easy-rsa) version 3
14 | * Presumes latest macOS versions that use editable `/etc/sysctl.conf` to set:
15 | > ```
16 | > net.inet.ip.forwarding=1
17 | > net.inet6.ip6.forwarding=1
18 | > ```
19 | This is known to work for macOS 11+. See previous versions of this
20 | repo for a `launchctl`-based approach
21 | * Uses Edwards curve
22 | [ed25519](https://en.wikipedia.org/wiki/Curve25519) EC-based PKI
23 | for very fast VPN connections with 128-bit security
24 | 
25 | ## VPN Configuration Advantages
26 | 
27 | This OpenVPN configuration provides the following advantages:
28 | 
29 | * Secure VPN networking for all mobile clients
30 | * Secure, certificate-based VPN
31 | * PF-based [firewall security](../../../osxfortress) on the server
32 | * Privatizing [Proxy Configuration](../../../osxfortress) for all mobile client devices
33 |     * Mobile device networking through PF firewall security
34 |     * Tracker blocking
35 |     * Ad blocking
36 |     * Malware blocking
37 | 
38 | ## [Tunnelblick](../../../../Tunnelblick/Tunnelblick) Configuration
39 | 
40 | Configure [Tunnelblick](../../../../Tunnelblick/Tunnelblick) settings so that the server connection persists over macOS Fast User Switching. Failure to do this is observed to cause routing problems beyond OpenVPN server accessibility. Use the recommended standard and advanced settings:
41 | 
42 | | [Tunnelblick](../../../../Tunnelblick/Tunnelblick) Settings |  Advanced… |
43 | :------------------------------------------------------------:|:-------------------------:
44 | ![Tunnelblick Settings](images/Tunnelblick%20Settings.png)|![Tunnelblick Advanced Settings](images/Tunnelblick%20Advanced%20Settings.png)
45 | 


--------------------------------------------------------------------------------
/images/OpenVPN_iPad.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/essandess/macos-openvpn-server/7e1b33e22ce44c685293daf5c2d9709c07d33140/images/OpenVPN_iPad.PNG


--------------------------------------------------------------------------------
/images/Tunnelblick Advanced Settings.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/essandess/macos-openvpn-server/7e1b33e22ce44c685293daf5c2d9709c07d33140/images/Tunnelblick Advanced Settings.png


--------------------------------------------------------------------------------
/images/Tunnelblick Settings.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/essandess/macos-openvpn-server/7e1b33e22ce44c685293daf5c2d9709c07d33140/images/Tunnelblick Settings.png


--------------------------------------------------------------------------------
/openvpn-client-tun.ovpn:
--------------------------------------------------------------------------------
 1 | ####
 2 | ## Mac UDP client configuration version 2.0
 3 | ####
 4 | client
 5 | dev tun
 6 | proto udp
 7 | remote domainname.tld 443
 8 | redirect-gateway def1
 9 | ;user nobody
10 | ;group nobody
11 | remote-cert-tls server
12 | <ca>
13 | ; paste ca.pem and remove these comments:
14 | ; openssl x509 -in pki/ca.crt | pbcopy
15 | </ca>
16 | <cert>
17 | ; paste client cert and remove these comments:
18 | ; openssl x509 -in pki/issued/client-domainname.crt -text | pbcopy
19 | </cert>
20 | <key>
21 | ; paste client key and remove these comments:
22 | ; openssl pkey -in pki/private/client-domainname.key -out pki/private/client-domainname.key.decrypted
23 | ; pbcopy < pki/private/client-domainname.key.decrypted
24 | ; rm pki/private/client-domainname.key.decrypted
25 | </key>
26 | key-direction 1
27 | <tls-crypt>
28 | ; paste ta.key and remove these comments:
29 | ; pbcopy < pki/ta.key
30 | </tls-crypt>
31 | cipher AES-256-GCM
32 | tls-version-min 1.3
33 | ; openvpn --show-tls | grep -e '^TLS' | grep -v 128 | grep -v -e 'SHA$' | grep -v GCM
34 | ; tls-cipher TLS_CHACHA20_POLY1305_SHA256:TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
35 | ;client-http-proxy 10.0.1.3 8118
36 | 


--------------------------------------------------------------------------------
/openvpn-server-tun.tblk/config.ovpn:
--------------------------------------------------------------------------------
 1 | #################################################
 2 | # OpenVPN 2.0 config file for                   #
 3 | # multi-client server.                          #
 4 | #                                               #
 5 | # This file is for the server side              #
 6 | # of a many-clients  one-server                 #
 7 | # OpenVPN configuration.                        #
 8 | #                                               #
 9 | # OpenVPN also supports                         #
10 | # single-machine  single-machine                #
11 | # configurations (See the Examples page         #
12 | # on the web site for more info).               #
13 | #                                               #
14 | # This config should work on Windows            #
15 | # or Linux/BSD systems.  Remember on            #
16 | # Windows to quote pathnames and use            #
17 | # double backslashes, e.g.:                     #
18 | # "C:\\Program Files\\OpenVPN\\config\\foo.key" #
19 | #                                               #
20 | # Comments are preceded with '#' or ';'         #
21 | #################################################
22 | 
23 | local 10.0.1.3
24 | port 443
25 | proto udp
26 | 
27 | dev tun
28 | 
29 | ca ca.crt
30 | cert hostname.domainname.tld.crt
31 | key hostname.domainname.tld.key
32 | 
33 | tls-crypt ta.key 0
34 | 
35 | dh none
36 | ecdh-curve ed25519
37 | 
38 | server 10.8.0.0 255.255.255.0
39 | route 10.0.1.0 255.255.255.0
40 | route 10.8.0.0 255.255.255.0
41 | 
42 | ;server-bridge 10.0.1.3 255.255.255.0 10.0.1.50 10.0.1.90
43 | 
44 | topology subnet
45 | 
46 | # Push routes to the client to allow it
47 | # to reach other private subnets behind
48 | # the server.  Remember that these
49 | # private subnets will also need
50 | # to know to route the OpenVPN client
51 | # address pool (10.8.0.0/255.255.255.0)
52 | # back to the OpenVPN server.
53 | push "route 10.0.1.0 255.255.255.0"
54 | push "route 10.8.0.0 255.255.255.0"
55 | 
56 | push "redirect-gateway def1"
57 | push "dhcp-option DNS 10.0.1.3"
58 | push "dhcp-option DOMAIN domainname.tld"
59 | ; push "dhcp-option PROXY_AUTO_CONFIG_URL http://proxy.domainname.private/proxy.pac"
60 | ;push "dhcp-option PROXY_HTTP 10.0.1.3 8118"
61 | push "dhcp-option PROXY_BYPASS domainname.com proxy.domainname.private"
62 | 
63 | client-to-client
64 | 
65 | keepalive 10 120
66 | 
67 | cipher AES-256-GCM
68 | tls-version-min 1.3
69 | 
70 | ; openvpn --show-tls | grep -e '^TLS' | grep -v 128 | grep -v -e 'SHA$' | grep -v GCM
71 | ; tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
72 | 
73 | max-clients 20
74 | 
75 | ; user nobody
76 | ; group nobody
77 | 
78 | persist-key
79 | persist-tun
80 | 
81 | ifconfig-pool-persist "/Library/Application Support/Tunnelblick/ipp.txt"
82 | 
83 | verb 3
84 | 


--------------------------------------------------------------------------------
/pf.conf:
--------------------------------------------------------------------------------
  1 | #
  2 | # Default PF configuration file.
  3 | #
  4 | # This file contains the main ruleset, which gets automatically loaded
  5 | # at startup.  PF will not be automatically enabled, however.  Instead,
  6 | # each component which utilizes PF is responsible for enabling and disabling
  7 | # PF via -E and -X as documented in pfctl(8).  That will ensure that PF
  8 | # is disabled only when the last enable reference is released.
  9 | #
 10 | # Care must be taken to ensure that the main ruleset does not get flushed,
 11 | # as the nested anchors rely on the anchor point defined here. In addition,
 12 | # to the anchors loaded by this file, some system services would dynamically 
 13 | # insert anchors into the main ruleset. These anchors will be added only when
 14 | # the system service is used and would removed on termination of the service.
 15 | #
 16 | # See pf.conf(5) for syntax.
 17 | #
 18 | 
 19 | # References for modifications:
 20 | # The Book of PF by Peter N.M. Hansteen, p. 21
 21 | # http://ikawnoclast.com/security/mac-os-x-pf-firewall-avoiding-known-bad-guys/
 22 | # http://support.apple.com/kb/HT5519?viewlocale=en_US&locale=en_US
 23 | # http://blog.scottlowe.org/2013/05/15/using-pf-on-os-x-mountain-lion/
 24 | # http://krypted.com/mac-security/a-cheat-sheet-for-using-pf-in-os-x-lion-and-up/
 25 | 
 26 | 
 27 | # Internal interface; use the command `ifconfig -a` or:
 28 | # $ ifconfig | pcregrep -M -o '^[^\t:]+:([^\n]|\n\t)*status: active' | egrep -o -m 1 '^[^\t:]+'
 29 | int_if = "en0"
 30 | 
 31 | # VPN network
 32 | # $vpn_net == utun0/24 when Tunnelblick creates utun0
 33 | vpn_net = "10.8.0/24"	# utun0 interface doesn't exist at boot time
 34 | 
 35 | # Hardcoded IPs
 36 | # domainname_tld = "x.x.x.x.x"
 37 | 
 38 | 
 39 | # Options
 40 | set block-policy return
 41 | set fingerprints "/etc/pf.os"
 42 | set ruleset-optimization basic
 43 | set skip on lo0
 44 | 
 45 |  
 46 | # Normalization
 47 | # Scrub incoming packets
 48 | scrub in all no-df
 49 |  
 50 | #
 51 | # com.apple anchor point
 52 | #
 53 | scrub-anchor "com.apple/*"
 54 | 
 55 | 
 56 | # Queueing
 57 |  
 58 | 
 59 | # Translation
 60 | 
 61 | # OpenVPN Server NAT
 62 | # 
 63 | # The Book of PF, p. 21
 64 | # Allow VPN connections to the VPN host:
 65 | # http://serverfault.com/questions/555594/troubleshoot-broken-tcp-from-openvpn-client-to-server-but-ping-traceroute-work
 66 | # $ sudo vi /etc/sysctl.conf
 67 | # net.inet.ip.forwarding=1
 68 | # net.inet6.ip6.forwarding=1
 69 | tun_if = "utun3"
 70 | no nat on ! $tun_if inet from $vpn_net to ($int_if)
 71 | nat on ! $tun_if inet from $vpn_net to ! ($int_if) -> ($int_if)
 72 | # Use a list in case Tunnelblick creates multiples utun interaces
 73 | # tun_if = "{ utun0, utun1, utun2, utun3, utun4, utun5, utun6, utun7, utun8, utun9 }"
 74 | # not_tun_if = "{ !utun0, !utun1, !utun2, !utun3, !utun4, !utun5, !utun6, !utun7, !utun8, !utun9 }"
 75 | # no nat on $not_tun_if inet from $vpn_net to ($int_if)
 76 | # nat on $not_tun_if inet from $vpn_net to ! ($int_if) -> ($int_if)
 77 | # This rule must be included below BEFORE these packets are passed by other rules:
 78 | # pass in quick on $tun_if reply-to $tun_if inet from $vpn_net to $int_if
 79 | 
 80 | nat-anchor "com.apple/*"
 81 | rdr-anchor "com.apple/*"
 82 | dummynet-anchor "com.apple/*"
 83 | anchor "com.apple/*"
 84 | load anchor "com.apple" from "/etc/pf.anchors/com.apple"
 85 | 
 86 | # Filtering
 87 | 
 88 | # Block by default
 89 | block all
 90 | 
 91 | # Debugging:
 92 | #pass quick log (all, to pflog0) all
 93 | #block log (all, to pflog0) all
 94 | 
 95 | # debugging rules
 96 | # $ sudo ifconfig pflog0 create 
 97 | # $ sudo tcpdump -n -e -ttt -i pflog0
 98 | # $ sudo ifconfig pflog0 destroy 
 99 | #block log (all, to pflog0) all
100 | 
101 | # Allow VPN connections to the VPN host:
102 | # http://serverfault.com/questions/555594/troubleshoot-broken-tcp-from-openvpn-client-to-server-but-ping-traceroute-work
103 | pass in quick on $tun_if reply-to $tun_if inet from $vpn_net to $int_if
104 | # Rule for a lot of utun interfaces in case Tunnelblick creates extras
105 | # pass in quick on utun0 reply-to utun0 inet from $vpn_net to $int_if
106 | # pass in quick on utun1 reply-to utun1 inet from $vpn_net to $int_if
107 | # pass in quick on utun2 reply-to utun2 inet from $vpn_net to $int_if
108 | # pass in quick on utun3 reply-to utun3 inet from $vpn_net to $int_if
109 | # pass in quick on utun4 reply-to utun4 inet from $vpn_net to $int_if
110 | # pass in quick on utun5 reply-to utun5 inet from $vpn_net to $int_if
111 | # pass in quick on utun6 reply-to utun6 inet from $vpn_net to $int_if
112 | # pass in quick on utun7 reply-to utun7 inet from $vpn_net to $int_if
113 | # pass in quick on utun8 reply-to utun8 inet from $vpn_net to $int_if
114 | # pass in quick on utun9 reply-to utun9 inet from $vpn_net to $int_if
115 | 
116 | # Local net
117 | table <lan_inet> const { 10/8, 172.16/12, 192.168/16 }
118 | table <lan_inet6> const { ::1, fe80::/10 }
119 | 
120 | pass quick inet from <lan_inet> to any keep state
121 | pass quick inet6 from <lan_inet6> to any keep state
122 | 
123 | # Antispoof
124 | antispoof log quick for $int_if inet
125 | 
126 | # Block to/from illegal destinations or sources
127 | block drop in log quick from no-route to any
128 | block drop in log quick from urpf-failed to any
129 | # This is observed on macOS
130 | #block drop in log quick on $int_if from any to 255.255.255.255
131 | 
132 | # Whitelist
133 | # table <whitelist> const { $domainname_tld }
134 | # pass in quick from <whitelist>
135 | # pass out quick to <whitelist>
136 | 
137 | # Block brute force attacks
138 | table <bruteforce> persist
139 | block drop log quick from <bruteforce>
140 | 
141 | # Allow application-specific traffic over these interfaces
142 | # multicast DNS
143 | pass on $int_if proto { udp, tcp } to { 224.0.0.2, 224.0.0.18, 224.0.0.251 } port mdns
144 | pass on $int_if proto igmp to { 224.0.0.1, 224.0.0.22, 224.0.0.251 }
145 | 
146 | # Open Source IP blocks
147 | # Refresh with pfctl -a blockips -T load -f /opt/local/etc/macos-fortress/blockips.conf
148 | # anchor 'blockips' label "Open Source IP Blocks"
149 | # load anchor 'blockips' from '/opt/local/etc/macos-fortress/blockips.conf'
150 | 
151 | # ICMP
152 | icmp_types = "echoreq"
153 | pass out inet proto icmp from $int_if:network to any icmp-type $icmp_types
154 | pass in inet proto icmp from any to $int_if icmp-type $icmp_types
155 | 
156 | # allow out the default range for traceroute(8):
157 | # "base+nhops*nqueries-1" (33434+64*3-1)
158 | pass out on $int_if inet proto udp from any to any port 33433 >< 33626
159 | 
160 | # Allow critical system traffic
161 | pass in quick inet proto udp from port bootps to port bootpc
162 | pass out quick inet proto udp from port bootpc to port bootps
163 | 
164 | # LAN services: block access, except from localnet
165 | lan_udp_services = "{ domain, net-assistant, 5001 }"
166 | lan_tcp_services = "{ domain, kerberos, microsoft-ds, eyetv, 3128, \
167 |         net-assistant, 5001, 5900:5909, privoxy, 8119, 8123, 8180 }"
168 | block in proto udp from any to $int_if port $lan_udp_services
169 | block in proto tcp from any to $int_if port $lan_tcp_services
170 | 
171 | pass in inet proto udp from { $vpn_net, $int_if:network } to $int_if port $lan_udp_services
172 | pass in inet proto tcp from { $vpn_net, $int_if:network } to $int_if port $lan_tcp_services
173 | pass out proto udp from $int_if port $lan_udp_services to { $vpn_net, $int_if:network } 
174 | pass out proto tcp from $int_if port $lan_tcp_services to { $vpn_net, $int_if:network }
175 | 
176 | # Internet services
177 | # https://support.apple.com/en-us/HT202944
178 | internet_udp_services = "{ https, isakmp, l2f, ipsec-msft, 16384:16403 }"
179 | pass in inet proto udp from any to $int_if port $internet_udp_services
180 | pass in inet proto tcp from any to $int_if port $internet_tcp_services
181 | pass out inet proto udp from $int_if to any port $internet_udp_services
182 | pass out inet proto tcp from $int_if to any port $internet_tcp_services
183 | 
184 | # ssh really restrictive
185 | pass in inet proto tcp from any to $int_if port ssh	\
186 | 	keep state (max-src-conn 10, max-src-conn-rate 10/2,		\
187 | 	overload <bruteforce> flush global)
188 | pass out inet proto tcp from $int_if port ssh
189 | # web, mail, calendarservice more restrictive
190 | webmailcalcard_tcp_services = "{ smtp, www, imap, https, submission, imaps, \
191 | 	cert-responder, sieve, 8008, 8443, 8800, 8843 }" 
192 | pass in inet proto tcp from any to $int_if	\
193 | 	port $webmailcalcard_tcp_services \
194 | 	keep state (max-src-nodes 50, max-src-conn 200, max-src-conn-rate 100/10,	\
195 | 	overload <bruteforce> flush global)
196 | pass out inet proto tcp from $int_if to any	\
197 | 	port $webmailcalcard_tcp_services
198 | 


--------------------------------------------------------------------------------
/readme-and-install.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash -x
  2 | 
  3 | # macOS OpenVPN Server and Client Configuration
  4 | 
  5 | # commands
  6 | OPEN=/usr/bin/open
  7 | CAT=/bin/cat
  8 | MORE=/usr/bin/more
  9 | 
 10 | $CAT <<'HELPSTRING' | $MORE
 11 | macOS OpenVPN Server and Client Configuration
 12 | 
 13 | How to build an OpenVPN VPN server on macOS pfctl and Tunnelblick.
 14 | This setup will provide a TLS-based VPN server using EC ed25519
 15 | certificates and UDP port 443, accessible by any OpenVPN client,
 16 | especially iOS with the OpenVPN app.
 17 | 
 18 | The commands to install an OpenVPN server on macOS and iOS are:
 19 | 
 20 | # Install everything here
 21 | export OPENVPN_INSTALL=~/Security/OpenVPN
 22 | mkdir -p ${OPENVPN_INSTALL}/pki_backupvars
 23 | mkdir -p ${OPENVPN_INSTALL}/Profiles/Tunnelblick
 24 | mkdir -p ${OPENVPN_INSTALL}/Profiles/OpenVPN-app
 25 | 
 26 | # install easy-rsa v. 3, openvpn2, and openssl-1.1 via MacPorts:
 27 | sudo port install openvpn2 easy-rsa openssl-1.1
 28 | 
 29 | # configure easy-rsa
 30 | install -m 0755 -B .orig ./vars ${OPENVPN_INSTALL}/pki_backupvars
 31 | 
 32 | # edit ${OPENVPN_INSTALL}/pki_backupvars for local instance
 33 | # change: EASYRSA_REQ_COUNTRY, EASYRSA_CA_EXPIRE etc.
 34 | open -e ${OPENVPN_INSTALL}/pki_backupvars	# or emacs, nano, vi, etc.
 35 | 
 36 | cd ${OPENVPN_INSTALL}
 37 | easyrsa init-pki
 38 | diff -NaurdwB -I '^ *#.*' ${OPENVPN_INSTALL}/pki_backupvars/vars ./pki/vars > /tmp/vars.patch
 39 | patch -p5 ${OPENVPN_INSTALL}/pki/vars < /tmp/vars.patch
 40 | rm /tmp/vars.patch
 41 | 
 42 | # copy the Tunnelblick and client configuration
 43 | rsync -va ./openvpn-server-tun.tblk ${OPENVPN_INSTALL}/Profiles/Tunnelblick
 44 | install -m 0600 ./openvpn-client-tun.ovpn ${OPENVPN_INSTALL}/Profiles/OpenVPN-app
 45 | 
 46 | # create the keys
 47 | 
 48 | # dh; tls-auth, tls-crypt
 49 | openvpn2 --genkey secret pki/ta.key
 50 | 
 51 | # Client-specific TLS keys
 52 | # https://github.com/TinCanTech/easy-tls
 53 | 
 54 | easyrsa build-ca
 55 | 
 56 | # <ca>
 57 | openssl x509 -in pki/ca.crt | pbcopy
 58 | # <tls-crypt>
 59 | pbcopy < pki/ta.key
 60 | 
 61 | easyrsa gen-req hostname.servername.com nopass
 62 | easyrsa sign-req server hostname.servername.com
 63 | 
 64 | easyrsa gen-req my-iPhone
 65 | easyrsa sign-req client client-domainname
 66 | 
 67 | # .ovpn12 currently do not work with ECDSA; see:
 68 | # https://forums.openvpn.net/viewtopic.php?p=77248&hilit=OpenSSL%3A+could+not+obtain+signature#p77248
 69 | # https://community.openvpn.net/openvpn/ticket/1024
 70 | if false; then
 71 |     # https://developer.apple.com/forums/thread/697030
 72 |     EASYRSA_OPENSSL=openssl-1.1 easyrsa export-p12 client-domainname
 73 |     # https://openvpn.net/faq/how-do-i-use-a-client-certificate-and-private-key-from-the-ios-keychain/
 74 |     mv pki/private/client-domainname.{p,ovpn}12
 75 | 
 76 | # Client certificate decrypted key
 77 | openssl pkey -in pki/private/client-domainname.key -out pki/private/client-domainname.key.decrypted
 78 | 
 79 | # unified cert in .ovpn 
 80 | # <cert>
 81 | openssl x509 -in pki/issued/client-domainname.crt -text | pbcopy
 82 | # <key>
 83 | pbcopy < pki/private/client-domainname.key.decrypted
 84 | 
 85 | # Example:
 86 | #
 87 | # ...
 88 | # Common Name (eg, your name or your server's hostname) [client-domainname]:domainname.com
 89 | # ...
 90 | # Email Address [admin@domainname.com]:
 91 |  
 92 | cd ${OPENVPN_INSTALL}
 93 | openssl verify -CAfile pki/ca.crt pki/ca.crt
 94 | sudo openssl verify -CAfile pki/ca.crt server-domainname.crt
 95 | sudo openssl verify -CAfile pki/ca.crt pki/client-domainname.crt
 96 | 
 97 | # Create .p12 client certificates/keys for iOS clients
 98 | # .ovpn12 currently do not work with ECDSA; see:
 99 | # https://forums.openvpn.net/viewtopic.php?p=77248&hilit=OpenSSL%3A+could+not+obtain+signature#p77248
100 | # https://developer.apple.com/forums/thread/697030
101 | # openssl-1.1 pkcs12 -export -in pki/issued/client-domainname.crt -inkey pki/private/client-domainname.key -certfile pki/ca.crt -name client-domainname -out pki/private/client-domainname.p12
102 | 
103 | # Copy the necessary files to the .tblk directory
104 | # cp -p ca.crt server-domainname.crt server-domainname.key ta.key ${OPENVPN_INSTALL}/Profiles/Tunnelblick/openvpn-server-tun.tblk
105 | install -m 0644 ${OPENVPN_INSTALL}/pki/ca.crt ${OPENVPN_INSTALL}/Profiles/Tunnelblick/openvpn-server-tun.tblk
106 | install -m 644 ${OPENVPN_INSTALL}/pki/issued/server-domainname.crt ${OPENVPN_INSTALL}/Profiles/Tunnelblick/openvpn-server-tun.tblk
107 | install -m 0600 ${OPENVPN_INSTALL}/pki/private/server-domainname.key ${OPENVPN_INSTALL}/Profiles/Tunnelblick/openvpn-server-tun.tblk
108 | install -m 0600 ${OPENVPN_INSTALL}/pki/ta.key ${OPENVPN_INSTALL}/Profiles/Tunnelblick/openvpn-server-tun.tblk
109 | 
110 | sudo install -m 0644 -B .orig sysctl.conf /etc
111 | # reboot or set by hand prior to reboot:
112 | sudo sysctl net.inet.ip.forwarding=1 net.inet6.ip6.forwarding=1
113 | 
114 | # Configure your router to forward port udp port 443 to the OpenVPN server
115 | 
116 | # Configure the server's config.ovpn file to specifiy the server IP on the LAN
117 | # Edit ${OPENVPN_INSTALL}/Profiles/Tunnelblick/openvpn-server-tun.tblk/config.ovpn to relect your NAT configuration
118 | sed -i '' -e 's/10.0.1.3/'`ifconfig en0 | sed -En 's/127.0.0.1//;s/.*inet (addr:)?(([0-9]*\.){3}[0-9]*).*/\2/p'`'/g' ${OPENVPN_INSTALL}/Profiles/Tunnelblick/openvpn-server-tun.tblk/config.ovpn
119 | # Use config.ovpn.osxfortress with "git clone https://github.com/essandess/osxfortress" for
120 | # secured, privacy-enhanced features on VPN clients
121 | sed -i '' -e 's/10.0.1.3/'`ifconfig en0 | sed -En 's/127.0.0.1//;s/.*inet (addr:)?(([0-9]*\.){3}[0-9]*).*/\2/p'`'/g' ${OPENVPN_INSTALL}/Profiles/Tunnelblick/openvpn-server-tun.tblk/config.ovpn.osxfortress
122 | # install -m 0644 -B .orig ${OPENVPN_INSTALL}/Profiles/Tunnelblick/openvpn-server-tun.tblk/config.ovpn.osxfortress ${OPENVPN_INSTALL}/Profiles/Tunnelblick/openvpn-server-tun.tblk/config.ovpn
123 | 
124 | # Load the .tblk file into Tunnelblick; connect/configure the server from Tunnelblick
125 | open ${OPENVPN_INSTALL}/Profiles/Tunnelblick/openvpn-server-tun.tblk
126 | 
127 | # Configure pf to use the VPN interface
128 | # copy the pf.conf file locally, or use MacPorts macos-fortress
129 | sudo install -m 0644 pf.conf "/Library/Application Support/Tunnelblick/"
130 | sudo pfctl -ef "/Library/Application Support/Tunnelblick/pf.conf"
131 | 
132 | # Use a text editor to add the certificates ca.crt, ta.key, and client PKI
133 | # to the client .ovpn file
134 | open -e ${OPENVPN_INSTALL}/openvpn-client-tun.ovpn	# or emacs, nano, vi, etc.
135 | 
136 | # Install the OpenVPN app on iOS
137 | 
138 | # Copy the .p12 file to a .ovpn12 file, and add the .ovpn12 file to the iOS OpenVPN app with one of these methods:
139 | # iTunes: Device>Apps>File Sharing>Add...
140 | # AirDrop
141 | # Email: 
142 | uuencode ${OPENVPN_INSTALL}/keys/client-domainname.p12 client-domainname.ovpn12 | mail -s "client-domainname.ovpn12" myself@myemail.com
143 | 
144 | # Transfer the client OpenVPN file openvpn-client-tun.ovpn
145 | # to the OpenVPN app using macOS Finder with AirDrop or iOS Syncing
146 | 
147 | # Launch the OpenVPN app and toggle the "Connect" button
148 | 
149 | # check if the OpenVPN server is up
150 | sudo lsof -i ':443' | grep UDP
151 | sudo nmap -sU -p 443 server.domainname.com
152 | HELPSTRING
153 | 
154 | # prerequisites
155 | 
156 | # Tunnelblick
157 | if ! [ -d /Applications/Tunnelblick.app ]; then
158 |     $OPEN -a Safari https://code.google.com/p/tunnelblick/
159 |     $CAT <<GET_TUNNELBLICK
160 | Please download and install Tunnelblick from https://code.google.com/p/tunnelblick.
161 | GET_TUNNELBLICK
162 |     exit 1
163 | fi
164 | 
165 | 
166 | # check if the OpenVPN server is up
167 | # sudo lsof -i ':443'
168 | # sudo nmap -sU -p 443 server.domainname.com
169 | 
170 | 
171 | exit 0
172 | 


--------------------------------------------------------------------------------
/sysctl.conf:
--------------------------------------------------------------------------------
1 | net.inet.ip.forwarding=1
2 | net.inet6.ip6.forwarding=1
3 | 


--------------------------------------------------------------------------------
/vars:
--------------------------------------------------------------------------------
  1 | # Easy-RSA 3 parameter settings
  2 | 
  3 | # NOTE: If you installed Easy-RSA from your package manager, do not edit
  4 | # this file in place -- instead, you should copy the entire easy-rsa directory
  5 | # to another location so future upgrades do not wipe out your changes.
  6 | 
  7 | # HOW TO USE THIS FILE
  8 | #
  9 | # vars.example contains built-in examples to Easy-RSA settings. You MUST name
 10 | # this file "vars" if you want it to be used as a configuration file. If you do
 11 | # not, it WILL NOT be automatically read when you call easyrsa commands.
 12 | #
 13 | # It is not necessary to use this config file unless you wish to change
 14 | # operational defaults. These defaults should be fine for many uses without the
 15 | # need to copy and edit the "vars" file.
 16 | #
 17 | # All of the editable settings are shown commented and start with the command
 18 | # "set_var" -- this means any set_var command that is uncommented has been
 19 | # modified by the user. If you are happy with a default, there is no need to
 20 | # define the value to its default.
 21 | 
 22 | # NOTES FOR WINDOWS USERS
 23 | #
 24 | # Paths for Windows  *MUST* use forward slashes, or optionally double-escaped
 25 | # backslashes (single forward slashes are recommended.) This means your path to
 26 | # the openssl binary might look like this:
 27 | # "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
 28 | 
 29 | # A little housekeeping: DO NOT EDIT THIS SECTION
 30 | #
 31 | # Easy-RSA 3.x does not source into the environment directly.
 32 | # Complain if a user tries to do this:
 33 | if [ -z "$EASYRSA_CALLER" ]; then
 34 | 	echo "You appear to be sourcing an Easy-RSA *vars* file." >&2
 35 | 	echo "This is no longer necessary and is disallowed. See the section called" >&2
 36 | 	echo "*How to use this file* near the top comments for more details." >&2
 37 | 	return 1
 38 | fi
 39 | 
 40 | # DO YOUR EDITS BELOW THIS POINT
 41 | 
 42 | # This variable is used as the base location of configuration files needed by
 43 | # easyrsa.  More specific variables for specific files (e.g., EASYRSA_SSL_CONF)
 44 | # may override this default.
 45 | #
 46 | # The default value of this variable is the location of the easyrsa script
 47 | # itself, which is also where the configuration files are located in the
 48 | # easy-rsa tree.
 49 | 
 50 | #set_var EASYRSA	"/opt/local/share/easy-rsa"
 51 | 
 52 | # If your OpenSSL command is not in the system PATH, you will need to define the
 53 | # path to it here. Normally this means a full path to the executable, otherwise
 54 | # you could have left it undefined here and the shown default would be used.
 55 | #
 56 | # Windows users, remember to use paths with forward-slashes (or escaped
 57 | # back-slashes.) Windows users should declare the full path to the openssl
 58 | # binary here if it is not in their system PATH.
 59 | 
 60 | #set_var EASYRSA_OPENSSL	"openssl"
 61 | #
 62 | # This sample is in Windows syntax -- edit it for your path if not using PATH:
 63 | #set_var EASYRSA_OPENSSL	"C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
 64 | 
 65 | # Edit this variable to point to your soon-to-be-created key directory.  By
 66 | # default, this will be "$PWD/pki" (i.e. the "pki" subdirectory of the
 67 | # directory you are currently in).
 68 | #
 69 | # WARNING: init-pki will do a rm -rf on this directory so make sure you define
 70 | # it correctly! (Interactive mode will prompt before acting.)
 71 | 
 72 | #set_var EASYRSA_PKI		"$PWD/pki"
 73 | 
 74 | # Define directory for temporary subdirectories.
 75 | 
 76 | #set_var EASYRSA_TEMP_DIR	"$EASYRSA_PKI"
 77 | 
 78 | # Define X509 DN mode.
 79 | # This is used to adjust what elements are included in the Subject field as the DN
 80 | # (this is the "Distinguished Name.")
 81 | # Note that in cn_only mode the Organizational fields further below are not used.
 82 | #
 83 | # Choices are:
 84 | #   cn_only  - use just a CN value
 85 | #   org      - use the "traditional" Country/Province/City/Org/OU/email/CN format
 86 | 
 87 | set_var EASYRSA_DN	"org"
 88 | 
 89 | # Organizational fields (used with "org" mode and ignored in "cn_only" mode.)
 90 | # These are the default values for fields which will be placed in the
 91 | # certificate.  Do not leave any of these fields blank, although interactively
 92 | # you may omit any specific field by typing the "." symbol (not valid for
 93 | # email.)
 94 | 
 95 | # NOTE: The following characters are not supported
 96 | #       in these "Organizational fields" by Easy-RSA:
 97 | #       back-tick (`)
 98 | 
 99 | set_var EASYRSA_REQ_COUNTRY	"US"
100 | set_var EASYRSA_REQ_PROVINCE	"State"
101 | set_var EASYRSA_REQ_CITY	"Town"
102 | set_var EASYRSA_REQ_ORG	"My Organization"
103 | set_var EASYRSA_REQ_EMAIL	"admin@domainname.tld"
104 | set_var EASYRSA_REQ_OU		"OpenVPN"
105 | 
106 | # Choose a size in bits for your keypairs. The recommended value is 2048.  Using
107 | # 2048-bit keys is considered more than sufficient for many years into the
108 | # future. Larger keysizes will slow down TLS negotiation and make key/DH param
109 | # generation take much longer. Values up to 4096 should be accepted by most
110 | # software. Only used when the crypto alg is rsa (see below.)
111 | 
112 | #set_var EASYRSA_KEY_SIZE	2048
113 | 
114 | # The default crypto mode is rsa; ec can enable elliptic curve support.
115 | # Note that not all software supports ECC, so use care when enabling it.
116 | # Choices for crypto alg are: (each in lower-case)
117 | #  * rsa
118 | #  * ec
119 | #  * ed
120 | 
121 | #set_var EASYRSA_ALGO		rsa
122 | set_var EASYRSA_ALGO		ed
123 | 
124 | # Define the named curve, used in ec & ed modes:
125 | 
126 | #set_var EASYRSA_CURVE		secp384r1
127 | set_var EASYRSA_CURVE		ed25519
128 | 
129 | # In how many days should the root CA key expire?
130 | # 12 years plus leap days
131 | set_var EASYRSA_CA_EXPIRE	4383
132 | 
133 | # In how many days should certificates expire?
134 | # 4 years plus leap days
135 | set_var EASYRSA_CERT_EXPIRE	1461
136 | 
137 | # How many days until the next CRL publish date?  Note that the CRL can still be
138 | # parsed after this timeframe passes. It is only used for an expected next
139 | # publication date.
140 | #set_var EASYRSA_CRL_DAYS	180
141 | 
142 | # Random serial numbers by default, set to no for the old incremental serial numbers
143 | #
144 | #set_var EASYRSA_RAND_SN	"yes"
145 | 
146 | # Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default
147 | # is "no" to discourage use of deprecated extensions. If you require this
148 | # feature to use with --ns-cert-type, set this to "yes" here. This support
149 | # should be replaced with the more modern --remote-cert-tls feature.  If you do
150 | # not use --ns-cert-type in your configs, it is safe (and recommended) to leave
151 | # this defined to "no".  When set to "yes", server-signed certs get the
152 | # nsCertType=server attribute, and also get any NS_COMMENT defined below in the
153 | # nsComment field.
154 | 
155 | #set_var EASYRSA_NS_SUPPORT	"no"
156 | 
157 | # When NS_SUPPORT is set to "yes", this field is added as the nsComment field.
158 | # Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored.
159 | 
160 | #set_var EASYRSA_NS_COMMENT	"Easy-RSA Generated Certificate"
161 | 
162 | # A temp file used to stage cert extensions during signing. The default should
163 | # be fine for most users; however, some users might want an alternative under a
164 | # RAM-based FS, such as /dev/shm or /tmp on some systems.
165 | 
166 | #set_var EASYRSA_TEMP_FILE	"$EASYRSA_PKI/extensions.temp"
167 | 
168 | # !!
169 | # NOTE: ADVANCED OPTIONS BELOW THIS POINT
170 | # PLAY WITH THEM AT YOUR OWN RISK
171 | # !!
172 | 
173 | # Broken shell command aliases: If you have a largely broken shell that is
174 | # missing any of these POSIX-required commands used by Easy-RSA, you will need
175 | # to define an alias to the proper path for the command.  The symptom will be
176 | # some form of a "command not found" error from your shell. This means your
177 | # shell is BROKEN, but you can hack around it here if you really need. These
178 | # shown values are not defaults: it is up to you to know what you are doing if
179 | # you touch these.
180 | #
181 | #alias awk="/alt/bin/awk"
182 | #alias cat="/alt/bin/cat"
183 | 
184 | # X509 extensions directory:
185 | # If you want to customize the X509 extensions used, set the directory to look
186 | # for extensions here. Each cert type you sign must have a matching filename,
187 | # and an optional file named "COMMON" is included first when present. Note that
188 | # when undefined here, default behaviour is to look in $EASYRSA_PKI first, then
189 | # fallback to $EASYRSA for the "x509-types" dir.  You may override this
190 | # detection with an explicit dir here.
191 | #
192 | #set_var EASYRSA_EXT_DIR	"$EASYRSA/x509-types"
193 | 
194 | # If you want to generate KDC certificates, you need to set the realm here.
195 | #set_var EASYRSA_KDC_REALM      "CHANGEME.EXAMPLE.COM"
196 | 
197 | # OpenSSL config file:
198 | # If you need to use a specific openssl config file, you can reference it here.
199 | # Normally this file is auto-detected from a file named openssl-easyrsa.cnf from the
200 | # EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA
201 | # specific and you cannot just use a standard config file, so this is an
202 | # advanced feature.
203 | 
204 | #set_var EASYRSA_SSL_CONF	"$EASYRSA_PKI/openssl-easyrsa.cnf"
205 | 
206 | # Default CN:
207 | # This is best left alone. Interactively you will set this manually, and BATCH
208 | # callers are expected to set this themselves.
209 | 
210 | #set_var EASYRSA_REQ_CN		"ChangeMe"
211 | 
212 | # Cryptographic digest to use.
213 | # Do not change this default unless you understand the security implications.
214 | # Valid choices include: md5, sha1, sha256, sha224, sha384, sha512
215 | 
216 | #set_var EASYRSA_DIGEST		"sha256"
217 | 
218 | # Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly
219 | # in batch mode without any user input, confirmation on dangerous operations,
220 | # or most output. Setting this to any non-blank string enables batch mode.
221 | 
222 | #set_var EASYRSA_BATCH		""
223 | 
224 | # DISABLED - DO NOT USE
225 | # Ref: https://github.com/OpenVPN/easy-rsa/issues/593
226 | # How many days before its expiration date a certificate is allowed to be
227 | # renewed?
228 | #set_var EASYRSA_CERT_RENEW	30
229 | 
230 | # DISABLED - DO NOT USE
231 | # Ref: https://github.com/OpenVPN/easy-rsa/issues/593
232 | # For fixed certificate start/end dates - Range 1..365
233 | # If set here then command line option is always in effect.
234 | # The day number 183 is either July 2nd or 3rd (leap-year)
235 | # Replace with your chosen day-of-year value:
236 | #set_var  EASYRSA_FIX_OFFSET 183
237 | 


--------------------------------------------------------------------------------