OpenVPN/Windows

Submitted by Anonymous (not verified) on

Prerequisites


Freelock deploys OpenVPN for many of its clients.

The critical parts of deploying this VPN is to maintain security of your secret key--anybody with this key and the configuration file could connect to your server. The other consideration is that you could have IP address conflicts if you're connecting from a LAN that uses the same IP address range. See below if this is the case.

Instructions (Windows)


  1. Download Windows Installer. Choose the latest "stable" version, in the installation package. (note: Windows Vista is not currently supported).

  2. Run the installer, with the following notes.

  3. At the Choose Components stage, accept the defaults, and optionally also check the"My Certificate Wizard." This will make future certificate management easier.


  4. Click the Continue Anyway button when you get the Windows warning:


  5. When the installer has finished, you should see a new icon in your system tray. That's the VPN.

  6. Download the zip file with your config file. Extract all the files in this zip to: C:\Program Files\OpenVPN\config

  7. Right-click the VPN system tray icon and click "Connect."


If you have a firewall, you will need to disable it on the new "Local Area Connection" interface in Network Connections to be able to access Windows shares on the intranet. You will also need to configure your firewall to allow OpenVPN to access the Internet through your main network connection. Also, if you're running Windows XP SP2, getting this interface to work the first time can be tricky--try disabling it, and then re-enabling it.

Congratulations! You're now connected!

To disconnect, double-click the system tray icon (which turns green when you're connected), and click Disconnect.

You should be able to browse the LAN as if you were there, and get to all the internal resources.

IP Address Conflicts


There are several common IP address ranges, and if any of them are used for your office, you cannot use the same subnet at the remote end.
  • 192.168.1.*
  • 192.168.2.*
  • 192.168.0.*

In particular the 192.168.1.* subnet is very common on home networks. If you connect from a remote network that uses any of these subnets, you will likely run into problems using the VPN, because your computer won't know which network to use to connect to a particular network address.

If your home LAN uses a conflicting subnet, you're going to need to change it to get it to work correctly. Valid private IP addresses include:

  • 10.0.0.0 -> 10.255.255.255
  • 172.16.0.0 -> 172.31.255.255
  • 192.168.0.0 -> 192.168.255.255

Of course, within these ranges are illegal IP addresses, reserved for network broadcasts and the subnets themselves. But you can choose any smaller subnet in any of these three network ranges to use for a private LAN, and be guaranteed to not overlap any public IP addresses.

Almost all consumer networking equipment use one of a few network ranges by default, depending on the brand:

  • 192.168.0.* (Netgear, Dlink)
  • 192.168.1.* (Linksys)
  • 192.168.2.* (SMC, Belkin)
  • 192.168.100.* (Belkin)

If you use any of these at your office, you'll find that your VPN won't work from a lot of different networks, if you want to be able to plug your laptop into random locations to use your VPN.

Pick a higher subnet and you should be fine. Freelock Computing uses 192.168.9., 192.168.10., and 192.168.19.. To make it easier for us to provide support, you should avoid all of those subnets and pick higher ones, say 192.168.93.