epoch1970 wrote: > - I've quickly gone through the dev.mensfeld.pl guide, it seems to the > point; I'd use that, esp. if you are using Tomato as your VPN server. > - I've always setup openvpn in a private environment, with a laptop > -with personal firewall OFF- as test client, before going all out with > the server listening to the WAN port, using certs and all. Not sure > Tomato would let you define simplistic tunnel setups (like trying to hop > from a home wireless network to a separate home wired network, with no > cypher and simple password security), but I'd recommend to tackle the > problem as gradually as possible. > (Be warned that if the OpenVPN server listens to the WAN, you should > test with a client using an outside address, as one obtained from a > public wifi hotspot. If the client comes from a private address within > your own network you might enter the router 'hairpinning' issue.) > - Use easy-rsa (or any GUI helper using it) to generate certs when you > go for certificate-based authentication. You can generate credentials on > any machine and move them to the target machines afterwards. What target > machines/applications will be fussy about is the format of the files > (pkcs12, PEM ...) > - The openvpn app seems to work on iOS 6.1 onwards; My ipad never leaves > home and my iPhone still runs iOS 5, so I've never used it... However: > i. you need this app for sure on your iOS devices if you want to use > them as OpenVPN clients, ii. your first client would rather be a laptop, > debugging will be much easier.
I think I've managed to get things working with OpenVPN. One thing that took the longest time to figure out was that I needed to download the Windows version of EasyRSA v3.0.0-rc2 zip from https://github.com/OpenVPN/easy-rsa/releases, instead of the zip from https://github.com/OpenVPN/easy-rsa. Didn't figure that out until I stumbled on a forum thread somewhere after Googling something. Also had to check out all the sample config files (not just the client one) included with OpenVPN to get an idea of proper use. The OpenVPN Connect iOS app Help section also pointed out a few things I needed to know: 1) For iOS, Interface type has to be TUN 2) Easiest way for me to include the certs/keys in config is to copy/paste with header/footer, such as <ca></ca>, etc. 3) Save that .ovpn config as UTF-8 I configured my router's OpenVPN server this way: VPN server Configuration>Basic > Start with WAN : Yes Interface Type : TUN Protocol : UDP Port : 1194 Firewall : Automatic Authorization Mode : TLS Extra HMAC-authorization : Disabled VPN subnet/netmask : 10.8.0.0/255.255.255.0 VPN Server Configuration>advanced : Poll Interval : 0 Push LAN to Clients : Yes Direct clients to redirect internet traffic : Yes Respond to DNS : Yes Advertise DNS to clients : Yes Encryption cipher : AES-256-CBC Compression : Adaptive TLS Renegotiation Time : -1 Manage client-specific options : Yes Allow Client<->Client : Yes I tested by running the OpenVPN client on my Win7 laptop and connected to router's OpenVPN server by using the router's local IP (192.168.1.x) in the config file. Then used a smartphone setup as a wifi hotspot, connected the iPhone 3GS (I'm using as wifi only device) to said hotspot, then connected to my router's OpenVPN server using the DDNS address I setup with no-ip.com. > About the 192.168.1.x network: what these guides say is that > 192.168.1.0/24 is the most common private network. So, if you're on a > wifi hotspot with a 192.168.1.123 LAN address, connect to your OpenVPN > server and it tries to serve you with a 192.168.1.56 address because > your own network is on 192.168.1.x too, the client will get confused. > Moving to 192.168.2.x is a trick supposed to mitigate the issue. > I'm sure 192.168.2.x is quite commonly used too. I'd rather recommend > moving up to 192.168.255.0/24 (the .255 part of the quad strikes fear in > some admins, as it looks like a broadcast address), or better to a > -possibly subnetted if you're brave- "class-B" private network, like > 172.[16 to 31].0.0/16. The "class-A" private network 10.0.0.0/8 is also > commonly used but again if you use a subnet like 10.255.255.0/24 I doubt > you'll find many conflicting configurations in the outside world. > (and since you only seek access to your LMS server, in case you don't > want to renumber your home network, you could also run an openvpn client > on the LMS server too, and let OpenVPN manage its own network, eg > 192.168.255.0/24. AFAIK if LMS runs on a machine with multiple > interfaces it will listen to all by default. Just make sure the OpenVPN > client on the server has setup its interface before LMS starts up.) > > I hope this helps and is clear enough. OpenVPN is a fantastic piece of > software well worth some initial investment. I don't know if what I did is the correct way to configure Client-to-Client (all I did was check the box in the router setup) but, setup like that, I could connect to LMS and playback through the iPhone 3GS. I wonder now, will I have that address problem if I connect from somewhere with a similarly numbered network? I did not re-number my network... Anything I need to correct? Thanks again! I want NBC's *-Ed-* on DVD/Blu-ray! ------------------------------------------------------------------------ 808htfan's Profile: http://forums.slimdevices.com/member.php?userid=1298 View this thread: http://forums.slimdevices.com/showthread.php?t=102819 _______________________________________________ discuss mailing list [email protected] http://lists.slimdevices.com/mailman/listinfo/discuss
