https://stefanorivera.com/enContents © 2026 <a href="mailto:stefano@rivera.za.net">Stefano Rivera</a> <a rel="license" href="https://creativecommons.org/licenses/by-sa/4.0/"> <img alt="Creative Commons License BY-SA" class="cc-license-button" src="/assets/img/cc-by-sa-4.0.svg"></a>Fri, 01 May 2026 14:29:42 GMTNikola (getnikola.com)http://blogs.law.harvard.edu/tech/rsshttps://stefanorivera.com/posts/2007/06/08/openvpn-wpad-mania/Stefano Rivera<p>I've just spent an afternoon tweaking an OpenVPN install, and I thought it would be a good idea to document it here. Not the world's most interesting post, but it's my method, and I want to document it.</p> <h3>OpenVPN:</h3> <p>The best solution I found was to have the server on it's own subnet:</p> <div class="code"><pre class="code literal-block">dev tun0 comp-lzo keepalive 10 120 server 10.20.2.0 255.255.255.0 push "dhcp-option DNS 10.20.1.1" push "dhcp-option DOMAIN rivera.co.za" push "route 10.20.1.0 255.255.255.0" ca /etc/ssl/vpn-cacert.pem dh /etc/ssl/dh1024.pem cert /etc/ssl/certs/vpn.rivera.co.za.pem key /etc/ssl/certs/vpn.rivera.co.za.key.pem </pre></div> <p>This sets up a Windows-friendly, routed OpenVPN. (TAP32, the windows tap driver, can't handle arbitrary IP routed VPNs, each link has to have a private /30 network)</p> <p>Then, the Windows client side:</p> <div class="code"><pre class="code literal-block"><span class="nx">client</span> <span class="nx">dev</span><span class="w"> </span><span class="nx">tun</span> <span class="nx">dev</span><span class="o">-</span><span class="nx">node</span><span class="w"> </span><span class="nx">VPN</span><span class="o">-</span><span class="nx">Connection</span> <span class="nx">proto</span><span class="w"> </span><span class="nx">udp</span> <span class="nx">remote</span><span class="w"> </span><span class="nx">vpn</span><span class="p">.</span><span class="nx">rivera</span><span class="p">.</span><span class="nx">co</span><span class="p">.</span><span class="nx">za</span><span class="w"> </span><span class="mi">1194</span> <span class="nx">resolv</span><span class="o">-</span><span class="nx">retry</span><span class="w"> </span><span class="nx">infinite</span> <span class="nx">nobind</span> <span class="nx">persist</span><span class="o">-</span><span class="nx">key</span> <span class="nx">persist</span><span class="o">-</span><span class="nx">tun</span> <span class="nx">mute</span><span class="o">-</span><span class="nx">replay</span><span class="o">-</span><span class="nx">warnings</span> <span class="nx">ca</span><span class="w"> </span><span class="nx">cacert</span><span class="p">.</span><span class="nx">pem</span> <span class="nx">cert</span><span class="w"> </span><span class="nx">winlaptop</span><span class="p">.</span><span class="nx">pem</span> <span class="nx">key</span><span class="w"> </span><span class="nx">winlaptop</span><span class="p">.</span><span class="nx">key</span><span class="p">.</span><span class="nx">pem</span> <span class="nx">ns</span><span class="o">-</span><span class="nx">cert</span><span class="o">-</span><span class="k">type</span><span class="w"> </span><span class="nx">server</span> <span class="nx">comp</span><span class="o">-</span><span class="nx">lzo</span> <span class="nx">verb</span><span class="w"> </span><span class="mi">3</span> <span class="nx">pull</span> <span class="nx">keepalive</span><span class="w"> </span><span class="mi">10</span><span class="w"> </span><span class="mi">60</span> <span class="nx">explicit</span><span class="o">-</span><span class="nx">exit</span><span class="o">-</span><span class="nx">notify</span><span class="w"> </span><span class="mi">2</span> </pre></div> <p>This is nice and simple, and has the advantage of pulling a lot of configuration from the server rather than statically storing it on the client.</p> <h3>WPAD:</h3> <p>My network has <a href="https://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol">Proxy Autodetection</a>. While I wanted DNS queries to go through the VPN, I didn't want web traffic to. (DNS through vpn, is ugly, but necessary for finding private servers).</p> <p>My solution was: <code>dnsmasq.conf</code>:</p> <div class="code"><pre class="code literal-block">dhcp-option=252,"http://ixia.rivera.co.za/wpad.dat" </pre></div> <p>Apache, default site config snippet:</p> <div class="code"><pre class="code literal-block"><span class="nt">&lt;Location</span><span class="w"> </span><span class="err">/wpad.dat</span><span class="nt">&gt;</span> <span class="w"> </span>ForceType<span class="w"> </span>"application/x-ns-proxy-autoconfig" <span class="w"> </span>Order<span class="w"> </span>deny,allow <span class="w"> </span>Deny<span class="w"> </span>from<span class="w"> </span>all <span class="w"> </span>Allow<span class="w"> </span>from<span class="w"> </span>127.0.0.0/8 <span class="w"> </span>Allow<span class="w"> </span>from<span class="w"> </span>10.20.1.0/24 <span class="nt">&lt;/Location&gt;</span> </pre></div> <p>And a fallback, in-case the wpad is already cached, this at the top of the wpad:</p> <div class="code"><pre class="code literal-block"><span class="c1">// VPN:</span> <span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">isInNet</span><span class="p">(</span><span class="n">myIpAddress</span><span class="p">(),</span><span class="w"> </span><span class="s">"10.20.2.0"</span><span class="p">,</span><span class="w"> </span><span class="s">"255.255.255.0"</span><span class="p">))</span><span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="s">"DIRECT"</span><span class="p">;</span> </pre></div>linuxopenvpnsoftwarehttp://tumbleweed.org.za/2007/06/08/openvpn-wpad-maniaFri, 08 Jun 2007 15:32:31 GMT