Below are the steps I followed to get Tunnelblick 3.7.8beta01 (build 5160) on a MacBook Pro with macOS Mojave, 10.14 and/or OpenVPN for Android on Android 9 connecting to an OpenVPN server running DD-WRT v3.0-r36527 std 8/9/18 firmware on a Netgear R7000 router.
- Click on a.ovpn files that you downloaded to open it in Tunnelblick. Click the Tunnelblick icon to choose the server you want to connect to. Insert your credentials and click OK. You can view your credentials for the VPN in the Customer Area Services. Note that credentials are case sensitive. You are connected.
- Tunnelblick is described as 'free, open source graphic user interface for OpenVPN on OS X and macOS. It provides easy control of OpenVPN client and/or server connections' and is an app in the Security & Privacy category.
- Beta: Tunnelblick 3.8.6beta01 (build 5680, macOS 10.10+, (mixed Intel-64, M1), notarized) released 2021-04-11 Release Notes SHA1.
May 28, 2019 Deciding the NordVPN vs VyprVPN matchup is quite a handful. Hdm Vpn Tunnelblick The developers of VyprVPN, Golden Frog, market themselves as a complete solution for online privacy, whether you’re a gamer, business, or regular user, but we’ve found that NordVPN’s.
Create OpenVPN certificates and keys by following the directions here - https://firxworx.com/blog/it-devops/sys ... -on-macos/I would suggest that one generate 4096-bit keys rather than the default 2048-bit keys. This will require changes to the vars file prior to key generation.
This will generate an ~/EasyRSA-X.Y.Z directory.
2. Create ta.key
SSH or Telnet to the DD-WRT router command line.
Run the following commands
# openvpn –-genkey –-secret ta.key
# cat ta.key
Highlight the key contents and copy to TextEdit on the Mac.
Save TextEdit ta.key file to the ~/EasyRSA-X.Y.Z/pki/private/ directory on the Mac
Delete the ta.key file on router's DD-WRT command line
# rm ta.key
3. OpenVPN Server
On the Services, VPN area of the router's DD-WRT web configuration page add the following information.
OpenVPN Server/Daemon
OpenVPN: Enable
Start Type: System
Config as: Server
Server mode: Router (TUN)
Network: (local private network that is different from your primary LAN - My primary LAN is 192.168.x.0 and I put in 10.x.y.0)
Netmask: 255.255.255.0
Port: (default is 1194, I put in 80, others like 443)
Tunnel Protocol: UDP
Encryption Cipher: AES-256 CBC
Hash Algorithm: SHA256
Advanced Options: Enable
TLS Cipher: None
LZO Compression: Yes
Redirect default Gateway: Enable
Allow Client to Client: Enable
Allow duplicate cn: Disable
Tunnel MTU setting: 1500
Tunnel UDP Fragment: Leave blank
Tunnel UDP MSS-Fix: Disable
CCD-Dir DEFAULT file: Leave empty
Client connect script: Leave empty
Static Key: Leave empty
PKCS12 Key: Leave empty
Public Server Cert: Paste the contents of the ~/EasyRSA-X.Y.Z/pki/issued/server.crt file on the Mac. Make sure it only includes lines between and including -----BEGIN CERTIFICATE-----, -----END CERTIFICATE-----
CA cert: Paste the contents of ~/EasyRSA-X.Y.Z/pki/ca.crt file on the Mac. Make sure it only includes lines between and including -----BEGIN CERTIFICATE-----, -----END CERTIFICATE-----
Private Server Key: Paste the contents of the ~/EasyRSA-X.Y.Z/pki/private/server.key file found on the Mac. Make sure it only includes lines between and including -----BEGIN PRIVATE KEY-----, -----END PRIVATE KEY-----
DH PEM: Paste the contents of the ~/EasyRSA-X.Y.Z/pki/dh.pem file found on the Mac. Make sure it only includes lines between and including -----BEGIN DH PARAMETERS-----, -----END DH PARAMETERS-----
Additional Config:
push 'route 192.168.x.0 255.255.255.0'
push 'dhcp-option DNS 192.168.x.1'
TLS Auth Key: Paste the contents of the ~/EasyRSA-X.Y.Z/pki/private/ta.key file found on the Mac.
At the bottom of the web page, first click on Save, and when the page comes back, click on Apply Settings
Go to Services, Services web configuration page
Find the Additional DNSMasq Options window
Add the following statement.
interface=tun2
Click on Save, and after the page comes back click on Apply Settings
Go to Administration, Commands web page
Add the following command to the Firewall.
iptables -t nat -A POSTROUTING -o `get_wanface` -j MASQUERADE
Once you added this statement click on Save Firewall.
When the web page comes back, click on Administration, Management
At the bottom of the page click on the red Router Reboot button and reboot the router. Wait 3 minutes for the router to complete its reboot.
4. Tunnelblick on the Mac
Install Tunnelblick on the Mac
Launch Tunnelblick on the Mac.
Create a folder on your Desktop with the <session_name>. I called mine Home.
Add the following statements to TextEdit.
client
auth RSA-SHA256
cipher AES-256-CBC
auth-nocache
# Use the same setting as you are using on the server.
dev tun2
# Are we connecting to a TCP or UDP server? Use the same setting as on the server.
proto udp
tun-mtu 1500
# The hostname/IP and port of the server.
remote <internet domain of OpenVPN server> <port that was defined on the DD-WRT OpenVPN web configuration page>
resolv-retry infinite
# Most clients don't need to bind to a specific local port number.
nobind
# Try to preserve some state across restarts.
persist-key
persist-tun
# SSL/TLS parmeters
ca ca.crt
cert <client_name1>.crt
key <client_name1>.key
tls-auth ta.key 1
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to 'server'. This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
# ns-cert-type server
remote-cert-tls server
# Enable compression on the VPN link.
# comp-lzo
compress lzo
# Allow me to change my IP address and/or port number (if I get a new local IP address at Starbucks).
float
Save the file with the name <session_name>.conf to the <session_name> desktop folder
Copy to the Desktop <session_name> folder:
~/EasyRSA-X.Y.Z/pki/private/ta.key
~/EasyRSA-X.Y.Z/pki/private/<client_name1>.key
~/EasyRSA-X.Y.Z/pki/issued/<client_name1>.crt
~/EasyRSA-X.Y.Z/pki/ca.crt
Once all the files are in the folder rename the <session_name> folder to <session_name>.tblk
The folder will then convert itself to a file.
Click and drag that file to the Tunnelblick icon at the top of the screen. When you see a + show up, release the click.
Add the session to ALL users of the Mac
Delete the <session_name>.tblk file from the Desktop.
Click on the Tunnelblick icon at the top of the screen on the Mac and click on VPN Details.
Highlight the <session_name>.
In the VPN Details screen click on the gear icon at the bottom left of the window.
Scroll down and click on Make Configuration Private.
Type in the Mac password when requested.
Log into a WiFi link that is not on your local LAN. For testing I use my smartphone hotspot. Click on Tunnelblick icon and click on Connect to start up VPN.
5. OpenVPN on Android
Install OpenVPN for Android (OfA) from the Play Store
Copy the following files from your Mac laptop to a USB thumb drive.
Tunnelblick For Android App
~/EasyRSA-X.Y.Z/pki/private/ta.key
~/EasyRSA-X.Y.Z/pki/private/<client_name2>.key
~/EasyRSA-X.Y.Z/pki/issued/<client_name2>.crt
~/EasyRSA-X.Y.Z/pki/ca.crt
Transfer those files to the internal storage of the Android mobile device.
Open OfA
At the top portion of the screen tap on SETTINGS
Show log window: Checked
OpenVPN 3 Core: Checked
Connect on boot: Unchecked
Reconnect on network change: Checked
Pause VPN connection after screen off: Checked
At the top right portion of the screen tap the circle plus icon
Edit the profile by taping the pencil icon to the right of its name
Go to the BASIC tab
Name the profile. I use Home
Check LZO Compression
For the CA Certificate select the path to the ca.crt file
For the Client Certificate select the path to the <client_name2>.crt file
For the Client Certificate Key select the path to the <client_name2>.key file
Go to the SERVER tab
Server Address: <internet domain of OpenVPN server>
Server Port: <port that was defined on the DD-WRT OpenVPN web configuration page>
Protocol: UDP
Proxy: None
Connect Timeout: 120
Tunnelblick For Android Phone
Custom Options: Unchecked
Go to the IP AND DNS tab
Pull Settings: Enabled
No local binding: Checked
Override DNS Settings by Server: Unchecked
Go to ROUTING Tab
Ignore pushed routes: Unchecked
Bypass VPN for local networks: Unchecked
IPv4
Use default Route: Checked
IPv6
Use default Route: Unchecked
Go to the AUTHENTICATION/ENCRYPTION tab
Expect TLS server certificate: Checked
Certificate Hostname Check: Checked
Remote certificate subject
RDN (common name)
-- Leave Blank --
X.509 Username Field
-- Leave Blank --
TLS Authentication/Encryption
Use TLS Authentication: Enabled
TLS Auth File: Select the path to the ta.key file
TLS Direction: 1
Encryption
Encryption Cypher: AES-256-CBC
Go to the ADVANCED tab
Client behavior
Persistent tun: Checked
Push Peer info: Unchecked
Random Host Prefix: Unchecked
Allow floating server: Checked
Payload options
Override MSS value of TCP payload: Unchecked
Tunnel MTU (mtu-mtu): Using default (1500) MTU
Custom Options
persist-key
auth SHA256
Reconnection settings
Tunnelblick Windows 10
Connection retries
Unlimited reconnection retries
Seconds between connections
Tunnelblick For Android Apk
2 sMaximum time between connection attempts
Tunnelblick For Android Pc
300 s