OpenVPN / WPAD Mania

Stefano Rivera

2007-06-08 17:32 (updated 2008-09-19 11:10)

I've just spent an afternoon tweaking an OpenVPN install, and I thought it would be a good idea to document it here. Not the world's most interesting post, but it's my method, and I want to document it.

OpenVPN:

The best solution I found was to have the server on it's own subnet:

dev tun0
comp-lzo
keepalive 10 120
server 10.20.2.0 255.255.255.0
push "dhcp-option DNS 10.20.1.1"
push "dhcp-option DOMAIN rivera.co.za"
push "route 10.20.1.0 255.255.255.0"
ca /etc/ssl/vpn-cacert.pem
dh /etc/ssl/dh1024.pem
cert /etc/ssl/certs/vpn.rivera.co.za.pem
key /etc/ssl/certs/vpn.rivera.co.za.key.pem

This sets up a Windows-friendly, routed OpenVPN. (TAP32, the windows tap driver, can't handle arbitrary IP routed VPNs, each link has to have a private /30 network)

Then, the Windows client side:

client
dev tun
dev-node VPN-Connection
proto udp
remote vpn.rivera.co.za 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca cacert.pem
cert winlaptop.pem
key winlaptop.key.pem
ns-cert-type server
comp-lzo
verb 3
pull
keepalive 10 60
explicit-exit-notify 2

This is nice and simple, and has the advantage of pulling a lot of configuration from the server rather than statically storing it on the client.

WPAD:

My network has Proxy Autodetection. While I wanted DNS queries to go through the VPN, I didn't want web traffic to. (DNS through vpn, is ugly, but necessary for finding private servers).

My solution was: dnsmasq.conf:

dhcp-option=252,"http://ixia.rivera.co.za/wpad.dat"

Apache, default site config snippet:

<Location /wpad.dat>
        ForceType "application/x-ns-proxy-autoconfig"
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/8
        Allow from 10.20.1.0/24
</Location>

And a fallback, in-case the wpad is already cached, this at the top of the wpad:

// VPN:
if (isInNet(myIpAddress(), "10.20.2.0", "255.255.255.0")) return "DIRECT";