I've just spent an afternoon tweaking an OpenVPN install, and I thought it would be a good idea to document it here. Not the world's most interesting post, but it's my method, and I want to document it.
The best solution I found was to have the server on it's own subnet:
dev tun0 comp-lzo keepalive 10 120 server 10.20.2.0 255.255.255.0 push "dhcp-option DNS 10.20.1.1" push "dhcp-option DOMAIN rivera.co.za" push "route 10.20.1.0 255.255.255.0" ca /etc/ssl/vpn-cacert.pem dh /etc/ssl/dh1024.pem cert /etc/ssl/certs/vpn.rivera.co.za.pem key /etc/ssl/certs/vpn.rivera.co.za.key.pem
This sets up a Windows-friendly, routed OpenVPN. (TAP32, the windows tap driver, can't handle arbitrary IP routed VPNs, each link has to have a private /30 network)
Then, the Windows client side:
client dev tun dev-node VPN-Connection proto udp remote vpn.rivera.co.za 1194 resolv-retry infinite nobind persist-key persist-tun mute-replay-warnings ca cacert.pem cert winlaptop.pem key winlaptop.key.pem ns-cert-type server comp-lzo verb 3 pull keepalive 10 60 explicit-exit-notify 2
This is nice and simple, and has the advantage of pulling a lot of configuration from the server rather than statically storing it on the client.
My network has Proxy Autodetection. While I wanted DNS queries to go through the VPN, I didn't want web traffic to. (DNS through vpn, is ugly, but necessary for finding private servers).
My solution was:
Apache, default site config snippet:
<Location /wpad.dat> ForceType "application/x-ns-proxy-autoconfig" Order deny,allow Deny from all Allow from 127.0.0.0/8 Allow from 10.20.1.0/24 </Location>
And a fallback, in-case the wpad is already cached, this at the top of the wpad:
// VPN: if (isInNet(myIpAddress(), "10.20.2.0", "255.255.255.0")) return "DIRECT";