Connecting to a VPN from a public Wi-Fi access point is much safer.  This guide will walkthrough how to set up a Mac and iOS client to connect to a VPN server running on a Raspberry Pi.

Requirements For This Walkthrough

Materials

  1. Local network
  2. Mac or PC
  3. Raspberry Pi  running Raspbian “wheezy” with an OpenVPN server setup
  4. HDMI Cable (*optional)
  5. Keyboard (*optional)
  6. Mouse (*optional)
  7. Monitor with HDMI input (*optional)

*If the Raspberry Pi is set up as a headless machine, you will not need a monitor, keyboard, or mouse–just another computer, which would be used to access it remotely over the network via SSH.

Downloads

  1. OpenVPN for iOS
  2. Tunneblick (OS X)

Knowledge, Skills, and Abilities

  1. Ability to naviagate throughout a computer OS
  2. Knowledge of basic computer terminology
  3. Ability and confidence to enter commands in the Terminal, adjusting them to suit your enviornment, if necessary
  4. Familiarity with core networking concepts
  5. Basic understanding of Public Key Infrastructure

Setting Up OpenVPN Clients

This how-to sets is a direct continuation of my OpenVPN server how-to.  The server should be set up and ready.

OpenVPN Client Configuration (iOS)

Setup A Client Config File

Copy A Sample Config File

Make a copy of the example config file and then edit that.

cd /etc/openvpn sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn sudo cp /etc/openvpn/client.conf /etc/openvpn/client1.conf

Edit the Client Config File

vi /etc/openvpn/client1.conf

You can use the following commands to view the settings without all of the comments:

cat client1.conf | grep -v "#" | tr -s '\n' cat client1.conf | grep -v "#" | grep -v ";" | tr -s '\n'

There are only three changes (in bold) to make in this file.  The first is the line that readsremote my-server-1 1194  .  It needs to be changed to the RPi’s IP address or domain name if using a Dynamic DNS service.  After the change, your file should like this:

remote myhomenetwork.net 1194

The second change is to comment out the lines referring to the location of the keys

# ca ca.crt # cert client.crt # key client.key

Finally, we are going to use inline references to the keys and certificates as opposed to packaging them up together.  Copy and paste each in the appropriate area:

<ca> -----BEGIN CERTIFICATE----- # insert base64 blob from ca.crt -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- # insert base64 blob from client1.crt -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- # insert base64 blob from client1.key -----END PRIVATE KEY----- </key>

The Client File Should Look Similar to This When The Changes Are Complete

client dev tun proto udp remote myhomenetwork.net 1194 resolv-retry infinite nobind persist-key persist-tun ns-cert-type server # ca ca.crt # cert client1.crt # key client1.key comp-lzo verb 3 <ca> -----BEGIN CERTIFICATE----- KJhdiuhJOkjNJKNNoiNIENJNSDFWEnSDNFSNDFonkjNSDfonSDOFnOnfOoiNDnSKLNfSNDflkNSDfgSDfnSLDKfnSndfsdnfLSNDflNFLSNFSNDkjsDNfNSFNSDFkjnsDFnSPVJOSNFoNoSNoNonLDNlOIOIJoiOJOIJfknkjnelspivnounewuoinybvytonirngonwoinNFOINWFOWENFNWEOFNWEIFNDOINSKJDCNOIWENIOFGSDFISBFJSHDBFLSDBFIUWBFISBFHBFKJSDBFKSDBFKSDBFKJNFKJSDBFKJSDBNFKJSDNFKSNVOINIDNFOIFIJWNFKJSDBFGKJSDBFKSJDBFKJSDKSDJBFKJSBFKJSDBFKJSBDFKJSBDFKJSDNONVO= -----END CERTIFICATE----- <ca> <cert> -----BEGIN CERTIFICATE----- KJhdiuhJOkjNJKNNoiNIENJNSDFWEnSDNFSNDFonkjNSDfonSDOFnOnfOoiNDnSKLNfSNDflkNSDfgSDfnSLDKfnSndfsdnfLSNDflNFLSNFSNDkjsDNfNSFNSDFkjnsDFnSPVJOSNFoNoSNoNonLDNlOIOIJoiOJOIJfknkjnelspivnounewuoinybvytonirngonwoinNFOINWFOWENFNWEOFNWEIFNDOINSKJDCNOIWENIOFGSDFISBFJSHDBFLSDBFIUWBFISBFHBFKJSDBFKSDBFKSDBFKJNFKJSDBFKJSDBNFKJSDNFKSNVOINIDNFOIFIJWNFKJSDBFGKJSDBFKSJDBFKJSDKSDJBFKJSBFKJSDBFKJSBDFKJSBDFKJSDNONVO= -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- KJhdiuhJOkjNJKNNoiNIENJNSDFWEnSDNFSNDFonkjNSDfonSDOFnOnfOoiNDnSKLNfSNDflkNSDfgSDfnSLDKfnSndfsdnfLSNDflNFLSNFSNDkjsDNfNSFNSDFkjnsDFnSPVJOSNFoNoSNoNonLDNlOIOIJoiOJOIJfknkjnelspivnounewuoinybvytonirngonwoinNFOINWFOWENFNWEOFNWEIFNDOINSKJDCNOIWENIOFGSDFISBFJSHDBFLSDBFIUWBFISBFHBFKJSDBFKSDBFKSDBFKJNFKJSDBFKJSDBNFKJSDNFKSNVOINIDNFOIFIJWNFKJSDBFGKJSDBFKSJDBFKJSDKSDJBFKJSBFKJSDBFKJSBDFKJSBDFKJSDNONVO= -----END PRIVATE KEY----- </key>

Install the Config File to an iOS Device

Download the OpenVPN app

In order to use OpenVPN, the app needs to be downloaded to an iOS device.

Rename the Config File’s File Extension

Rename the file to client1.conf  to client1.ovpn

mv client1.conf client1.ovpn

Email the Config File to Yourself, or Use Dropbox/Google Drive, etc.

In order to setup the OpenVPN connection on the iOS device, the configuration file needs to be accessible from iOS.  Any of the file sharing/syncing apps should work, or you can simply email the file to yourself.  Once it is on the device, just touch it and choose to open it using OpenVPN.

OpenVPN Client Configuration (OS X)

Setup A Client Config File

Follow the steps above to make a new config file, but stop at the step where the certificate/keys are commented out.  Instead, provide the path to those keys.  The config file should look like this.

client dev tun proto udp remote myhomenetwork.net 1194 resolv-retry infinite nobind persist-key persist-tun ns-cert-type server ca ca.crt cert client1.crt key client1.key comp-lzo verb 3

Copy the four files required by OS X and Tunnelblick to another computer:

/etc/openvpn/easy-rsa/keys/client1.conf /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/easy-rsa/keys/client1.cert /etc/openvpn/easy-rsa/keys/client1.key

Below are the commands for doing it via SCP.

scp /etc/openvpn/easy-rsa/keys/client1.conf <usename>@<remotehost>:/Users/Shared scp /etc/openvpn/easy-rsa/keys/cca.crt <usename>@<remotehost>:/Users/Shared scp /etc/openvpn/easy-rsa/keys/client1.cert <usename>@<remotehost>:/Users/Shared scp /etc/openvpn/easy-rsa/keys/client1.key <usename>@<remotehost>:/Users/Shared

Reference this great chart from openvpn.net to see what files need to go where:

FilenameNeeded ByPurposeSecretca.crtserver + all clientsRoot CA certificateNOca.keykey signing machine onlyRoot CA keyYESdh{n}.pemserver onlyDiffie Hellman parametersNOserver.crtserver onlyServer CertificateNOserver.keyserver onlyServer KeyYESclient1.crtclient1 onlyClient1 CertificateNOclient1.keyclient1 onlyClient1 KeyYESclient2.crtclient2 onlyClient2 CertificateNOclient2.keyclient2 onlyClient2 KeyYESclient3.crtclient3 onlyClient3 CertificateNOclient3.keyclient3 onlyClient3 KeyYES

Bundle the OpenVPN Files Together To Make Them Compatible With Tunnelblick

Copy all four of the required file onto the Desktop or some other convenient folder.

Create a new folder called client1.

Move the four files into the new folder.

Rename the folder to client1.tblk

Confirm the usage of the .tblk  file extension.

The folder is converted into a single file, which can be double-clicked and will open in Tunnelblick.

Simply use to menubar item for Tunnelblick to connect to the VPN.