I've gone through the process of configuring OpenVPN and Tunnelblick at least twice before and I never seem to get it right on the first or second try. This time I'll document a few of the paint points that I experienced even while following the excellent Digital Ocean guide to configuring OpenVPN on CentOS 6.
- Follow the "Initial OpenVPN Configuration" section from the DO document.
- When generating keys and certificates in the next section, the easy-rsa files are in
- Be descriptive when running
./build-key clientwith something like
./build-key jeremy-homeso that you don't get annoyed later that you have a config named "client".
- The DO docs don't mention configuring a TLS-Auth key, even though the OpenVPN configuration now has it by default. Do this with
openvpn --genkey --secret /etc/openvpn/ta.keybefore attempting to start the
- You'll need a few more lines in
client.ovpnto match the server config. These worked last time, but look at the OpenVPN logs when you try to connect for other errors.
tls-auth ta.key 1(the server uses this with
0) to enable TLS-Auth.
cipher AES-256-CBCto fix 'cipher' is used inconsistently errors.
keysize 256to fix 'keysize' is used inconsistently errors.
tun-mtu 1500to set the MTU, though I'm not sure this is really necessary.
comp-lzofrom the client if it's configured. This appears to cause an IP packet with unknown IP version=15 seen error.
- Be sure to copy the contents of
ta.keyinto a new
<tls-auth>section at the end of
client.ovpnso that the client has the same static TLS-Auth key as the server.
Throughout all this, remember that after you drag and drop a configuration file into Tunnelblick, it gets put somewhere else and needs to be manually reloaded every time you make a configuration change to the
client.ovpn file you might be working with.
Things are now working with OpenVPN 2.4.4, easy-rsa 2.2.2, and Tunnelblick 3.7.4a.