Convalesco

This took a lot of effort that’s why I want to share my “lost and founds” with the “internet“. The issue here was, to make OpenVPN start successfully under Tiger MacOSX 10.4.11. I think though, that you must take the same approach for Snow Leopard and Leopard. The OSX Server Edition has a build in L2TP over IPSEC, VPN server support, so I wouldn’t bother using OpenVPN there.

First read here to find out how to install the precompiled OSX openvpn module!

The installation of OpenVPN is really easy. Just install MacPorts and install OpenVPN using:

sudo port install openvpn2

However, currently openvpn2 does not come with .plist and wrapper scripts, which means that there’s no way to make it start at boot. So, I wrote the plist and the wrapper, really macports style to make it work. In order to get around launchd issues¹ macports developers use daemondo, to create StartupItems for launchd. So I tried to follow the approach.

So in order to start writing to files we need to create the directory that our files sit. So, on the terminal type:

$ sudo mkdir /opt/local/etc/LaunchDaemons/org.macports.OpenVPN2/

Now first, we create the org.macports.OpenVPN2.plist file and write in these lines:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE plist PUBLIC \"-//Apple Computer//DTD PLIST 1.0//EN\"
\"http://www.apple.com/DTDs/PropertyList-1.0.dtd\" >
<plist version='1.0'>
<dict>
<key>Label</key><string>org.macports.OpenVPN2</string>
<key>ProgramArguments</key>
<array>
        <string>/opt/local/bin/daemondo</string>
        <string>--label=OpenVPN2</string>
        <string>--start-cmd</string>
        <string>/opt/local/etc/LaunchDaemons/org.macports.OpenVPN2/OpenVPN2.wrapper</string>
        <string>start</string>
        <string>;</string>
        <string>--stop-cmd</string>
        <string>/opt/local/etc/LaunchDaemons/org.macports.OpenVPN2/OpenVPN2.wrapper</string>
        <string>stop</string>
        <string>;</string>
        <string>--restart-cmd</string>
        <string>/opt/local/etc/LaunchDaemons/org.macports.OpenVPN2/OpenVPN2.wrapper</string>
        <string>restart</string>
        <string>;</string>
        <string>--pid=none</string>
</array>
<key>Debug</key><false/>
<key>Disabled</key><false/>
<key>OnDemand</key><false/>
<key>RunAtLoad</key><true/>
<key>NetworkState</key><true/>
</dict>
</plist>

Then we need to create the wrapper file which is a shell script. Now create the file OpenVPN2.wrapper and type in the following:

#!/bin/sh
 
. /etc/rc.common
 
load() {
                if [ -d /System/Library/Extensions/tun.kext ]; then
                        /sbin/kextload -q /System/Library/Extensions/tun.kext;
                else
                        echo "tun.kext not found in /System/Library/Extensions/"
                fi
        }
 
StartService() {
                #
                # Use the "ipconfig waitall" command to wait for all the
                # interfaces to come up:
                #
                ipconfig waitall
 
                load; # first load the module
                if [[ $( kextstat -l | grep -q 'tun' )$? == 0 ]]; then
                /opt/local/sbin/openvpn2 --config /opt/local/etc/ovpn/server.conf --writepid /opt/local/etc/ovpn/ovpn.pid --daemon OpenVPN2
                                /usr/bin/logger "OpenVPN is loaded"
        else
                                /usr/bin/logger "tun extensions is not loaded."
                fi
}
 
StopService() {
        pid=`cat /opt/local/etc/ovpn/ovpn.pid`
        if [ $? -eq 0 ]; then
            kill $pid
                /sbin/kextunload /System/Library/Extensions/tun.kext
                if [[ $( kextstat -l | grep -q 'tun' )$? == 1 ]]; then
                        /usr/bin/logger "The tun module was unloaded successfully"
                else
                        /usr/bin/logger "There was a problem. I was not able to unload tun module!!!"
                fi
        fi
 
}
 
RestartService() {
  StopService "$@"
  StartService "$@"
}
 
RunService "$1"

Then we need to create symbolic link to the /Library/LaunchDaemons/ where all the plist files are situated:

$sudo ln -sf  /opt/local/etc/LaunchDaemons/org.macports.OpenVPN2/org.macports.OpenVPN2.plist
/Library/LaunchDaemons/org.macports.OpenVPN.plist

Remember to

sudo chmod +x /opt/local/etc/LaunchDaemons/org.macports.OpenVPN2/OpenVPN2.wrapper

in order to make the script executable. Other then this, just note that I use the /opt/local/etc/ovpn/server.conf as a default path for the configuration file, but you can change that to match yours, as any other path for that matter, on the shell script.

Enough, isn’t it?

1. Launchd, in my opinion, should be able to manage the launch of whatever deamond and/or app directly. It’s presented as being the substitute of cron, init and other old-style unix utilities [↩]

Reading a post on MacEphemera, a Greek Mac Users website, I’ve found this very interesting software: Log me in. It’s a remote desktop administration system that permits to access your pc from anywhere. Runs on both Mac & Windows. All you need is just to install the software and then open your browser and point out the website. You log-in through a secure connection and you can administer your computer remotely.

Until now I was keen to use OpenVPN for the same reason, but apparently Log-Me-In is much easy and handy to use. Of course there’s always the security issue: On some systems you can’t afford to run a backdoor-alike software because it could shoot you backwards. For average systems though, it’s a very interesting solution for remote desktop management.