Name	Name	Last commit message	Last commit date
Latest commit History 28 Commits
openvpn-server-tun.tblk	openvpn-server-tun.tblk
LICENSE	LICENSE
OpenVPN_iPad.PNG	OpenVPN_iPad.PNG
README.md	README.md
enable-vpn-forward-nat.sh	enable-vpn-forward-nat.sh
net.openvpn.enable-vpn-forward-nat.plist	net.openvpn.enable-vpn-forward-nat.plist
openvpn-client-tun.ovpn	openvpn-client-tun.ovpn
pf.conf	pf.conf
readme-and-install.sh	readme-and-install.sh
vars	vars

Name

Last commit message

Last commit date

openvpn-server-tun.tblk

LICENSE

OpenVPN_iPad.PNG

README.md

enable-vpn-forward-nat.sh

net.openvpn.enable-vpn-forward-nat.plist

openvpn-client-tun.ovpn

pf.conf

readme-and-install.sh

vars

osx-openvpn-server

OS X OpenVPN Server and Client Configuration

How to build an OpenVPN VPN server on OS X pfctl and Tunnelblick. This setup will provide a TLS-based VPN server using 4096-bit certificates and UDP port 443, accessible by any OpenVPN client, especially iOS with the OpenVPN app.

Why would you want to build your own VPN server when OS X Server already comes with a VPN service? To have certificate-based VPN. One VPN technology used by OS X Server is broken and should be avoided altogether (Microsoft’s PPTP: ("PPTP traffic should be considered unencrypted", https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/), or requires a very long random PSK ("IPSEC-PSK is arguably worse than PPTP ever was for a dictionary-based attack vector"). If you want secure certificate-based VPN between OS X Server and iOS, OpenVPN is the only option.

Furthermore, OS X has its PF firewall turned off by default. Integrating OpenVPN access within a working OS X firewall provides greater security.

The VPN is also easily configured to use a privatizing proxy. This is useful to block mobile carriers from adding uniquely identifying HTTP headers used for customer tracking. See, for example, Does your phone company track you?. The repo essandess/osxfortress provides a firewall, blackhole, and privatizing proxy . Use the server configuration config.ovpn.osxfortress for these features, including blocking the mobile carrier tracking headers:

# Mobile carrier uniquely identifying headers request_header_access MSISDN deny all # T-Mobile request_header_access X-MSISDN deny all # T-Mobile request_header_access X-UIDH deny all # Verizon request_header_access x-up-subno deny all # AT&T request_header_access X-ACR deny all # AT&T request_header_access X-UP-SUBSCRIBER-COS deny all request_header_access X-OPWV-DDM-HTTPMISCDD deny all request_header_access X-OPWV-DDM-IDENTITY deny all request_header_access X-OPWV-DDM-SUBSCRIBER deny all request_header_access CLIENTID deny all request_header_access X-VF-ACR deny all request_header_access X_MTI_USERNAME deny all request_header_access X_MTI_EMAIL deny all request_header_access X_MTI_EMPID deny all

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

osx-openvpn-server

About

Uh oh!

Releases 4

Packages

Uh oh!

Languages

License

essandess/macos-openvpn-server

Folders and files

Latest commit

History

Repository files navigation

osx-openvpn-server

About

Topics

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases 4

Packages 0

Uh oh!

Languages

Packages