I use OpenVPN (wikipedia page) to get access to virtual machines on my hosted server. There are some GUI solutions to running OpenVPN on OS X, including Tunnelblick (free) and Viscosity (US$9), but it is also possible to run OpenVPN from the command line, automatically, so that it is "always there". These notes are based on TinyApps documentation on OpenVPN and a guide to setting up LaunchDaemon items.
Running OpenVPN from command line requires:
- OS X TUN/TAP driver (BSD license, donations via paypal appreciated)
- openvpn2 port from Macports (
port install openvpn2) - openvpn keys and configuration file as on other platforms (see OpenVPN documentation)
The OS X TUN/TAP driver installs two kernel extensions (and a startup item) which load a TUN driver (used by OpenVPN) and a TAP driver (used for intercepting network packets).
I put the configuration files in /opt/local/etc/openvpn, and the keys in /opt/local/etc/openvpn/naos following the pattern that I use on my other computers. After a quick command line test:
sudo openvpn2 --verb 3 --config /opt/local/etc/openvpn/naos.conf
to confirm that the VPN came up, I set up a plist
file
for launchctl
(wikipedia page);
based on examples at TinyApps and
Andrew's Blog. It needs to be put into
/Library/LaunchDaemons/net.openvpn.plist, and then then
loaded:
sudo launchctl load -w /Library/LaunchDaemons/net.openvpn.plist
to enable it; it'll load immediately as well due to the
RunAtLoad option. You can verify that it is working with:
sudo launchctl list | grep net.openvpn
where the first column is the process ID of the running OpenVPN, and also by checking that the routes inserted by OpenVPN are present in the routing table.
One thing I did differently from the examples
was to enable KeepAlive based on
the network state, following hints in this nabble
thread.
In theory, combined with restart in the OpenVPN configuration, the OpenVPN
should now come up whenever the networking comes up. (I'm hopeful this
will "just work" over suspend/resume; under Linux I had to resort to
stopping/starting OpenVPN over suspend/resume -- in the acpi directories
-- to deal with IP address changes.)
(FTR, my net.openvpn.plist.)