Text displayed like this is an example which will need to be edited/adapted.
Commands and their output are shown like this
File names are shown like this

VPN Client Access

How to configure an external computer for VPN access to the internal LAN.

1. Install OpenVPN

Windows:

Download OpenVPN GUI for Windows from this direct link:
http://openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe
(or look for a more recent version of the"Installation Package" with "TAP driver included" here: http://openvpn.se/download.html)
Install it as administrator.
- In the "Choose components" screen, you can de-select "Add OpenVPN to PATH". The other defaults are fine.
- Windows XP will give you a warning during install of the "TAP Win32 Adapter". Click "Continue Anyway":
At the end, there is an "OpenVPN GUI" icon in the system tray: .

Mac OS X

Download Tunnelblick (direct link: Tunnelblick-Universal-3.0b6.dmg)
Install: mount the dmg file and move Tunnelblick.app to your Applications folder
...?

2. Configure

Your administrator gave you 4 files or instructions on where to get them. Their names will be different, but the extension in bold will be the same as these:

some-company.ovpn : the OpenVPN configuration file
your-name-or-host.key : the private key part of your certificate, which must be kept secret
your-name-or-host.pem : the public key part of your certificate
cacert-some-company.pem : the public key of your certification authority which signed your certificate

Don't lose your private key file; don't put it on an unprotected USB drive, etc.

If you do lose it or your notebook is stolen, immediately tell your administrator, so that he can block this key and issue you a new one.

Now for the configuration:

Save the configuration file and the certificates to
- Windows: C:\Program Files\OpenVPN\config\. (If you changed the default install directory, then save the files to the /config/ directory under your OpenVPN install directory).
- Mac: ~/Library/openvpn
Edit your configuration file with a text editor
- on Windows you can use notepad.exe
- on Mac you can use notepad.exe on Windows :-)
  (unless you have installed a plain text editor yourself or you know about pico or nano).
It should look like this, with the marked adapted to your particular file names:

# OpenVPN client configuration file
remote vpn-server-ip-or-host-name 1194

ca cacert-some-company.pem

cert your-name-or-host.pem
key your-name-or-host.key

client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3

3. Connect

Windows: right-click on the OpenVPN GUI icon in the system tray, and select "Connect". You will be prompted for your password, which you received separately (it may contain spaces; if it was in double quotes like "this", the password is without the double quotes).

The system tray icon should eventually turn green (), and you should have been assigned an IP address in the 10.x.0.0 network for the tunnel adapter.

4. Test

Now, you should be able to ping the internal server by it's IP address or by it's name:

>ping 192.168.44.4
Pinging 192.168.44.4 with 32 bytes of data:
Reply from 192.168.44.4: bytes=32 time=36ms TTL=63
etc.

>ping hostname.company.lan
Pinging hostname.company.lan [192.168.44.5] with 32 bytes of data:
Reply from 192.168.44.5: bytes=32 time=36ms TTL=63
etc.

5. Use

Windows browsing doesn't work in a routed environment, so you cannot use "Network neighborhood" or "net view" to view the workgroup computers.

However, you can list shares of single machines and use them, or access any other services running on them. (To have Network neighborhood work as on the LAN, the VPN would have to be bridged instead of routed. That would have several other disadvantages. With this routed setup, one can have shortcuts to single machines or specific shares on machines, so it should be fine)

In the Windows Explorer address bar, you can type \\server to see the shares on that server:

$Windows Explorer view of shared folders on \\server$

Or you can do the same at the command prompt:

>net view \\server

Shared resources at \\server

server

Share name     Type  Used as  Comment

-------------------------------------------------------------------------------
some-share     Disk           Some shared directory on server
another        Disk           Some other share on that server
...etc.
The command completed successfully.

>net use * \\server\some-share
Drive Z: is now connected to \\server\some-share.
The command completed successfully.

>dir Z:
 Volume in drive Z is backup-docs
 Volume Serial Number is 0589-5766

 Directory of Z:\

   29.08.2007 09:59    <DIR>          .
   17.11.2007 19:46    <DIR>          ..
   etc.

6. Firewalls

Firewall on machines on the LAN

(This is NOT about your remote notebook, but about the machines on the LAN in the office).

Since the remote VPN connections come from a different network, the firewall on the machines will normally block them. Machines need to change the scope of the port openings from "Local Subnet" to Custom, and add the 10.x.0.0/255.255.255.0 VPN network to the normal LAN network (192.168.x.0/255.255.255.0) for the Windows protocols.

For the Windows XP SP2 firewall, you can edit and save the following script as firewall-add-vpn.cmd and then run it on each machine:

netsh firewall set portopening protocol=TCP port=139 mode=ENABLE scope=CUSTOM addresses=10.8.0.0/255.255.255.0,LocalSubnet
netsh firewall set portopening protocol=TCP port=445 mode=ENABLE scope=CUSTOM addresses=10.8.0.0/255.255.255.0,LocalSubnet
netsh firewall set portopening protocol=UDP port=137 mode=ENABLE scope=CUSTOM addresses=10.8.0.0/255.255.255.0,LocalSubnet
netsh firewall set portopening protocol=UDP port=138 mode=ENABLE scope=CUSTOM addresses=10.8.0.0/255.255.255.0,LocalSubnet

That should allow Windows networking. If you need to access another service on the machine, you will have to configure that as well.

If the machine uses another firewall like Symantec, configure that firewall to allow connections to/from the 10.8.0.0/255.255.255.0 (aka 10.8.0.0/24) network.

Firewall on the remote VPN client

If your remote VPN client has a third party firewall like Symantec, you may also have to configure that to allow trafic from/to the VPN subnet. Test it without the firewall first, then configure it as needed.

Troubleshooting

Problems with third party firewalls: http://openvpn.se/xpsp2_problem.html