03 August 2009

Dual factor OpenVPN with Active Directory and Certificate Services (Part 4 of 4)

4. Client Installation

Client installation involves three basic steps:
1. Get a certificate that identifies the client computer, if this is not already done.
2. Install the OpenVPN package, preferably one pre-packaged with all the configuration files:
a ta.key,
a CA certificate,
a configuration file.
3. Change a single line in the OpenVPN configuration file to match the client machine name.


4.1 Getting a certificate
If this is not handled by Group Policy, a certificate can be gotten manually, assuming you have a PKI in house already.
Before starting, the machine must be a domain member and on the network.

Go to Start > run > and type
mmc
Add "Certificates" snap-in (Computer account).
Open the "Personal" folder; Right Click > All Tasks > Request New Certificate.
Select "Computer" as the type of request
Select and you are done


4.2 Install the OpenVPN executable
Install with defaults.
During install, you may get a warning about an unsigned driver. This is normal. Click "CONTINUE".


4.3 Configure the client
Open the C:\Program Files\OpenVPN\config folder; Open the ovpn file. At the cryptoapicert line, change the "MACHINENAME" to the name of the client machine, i.e. YOURCLIENT.YOURDOMAIN.COM

cryptoapicert "SUBJ:YOURCLIENT.YOURDOMAIN.COM"

VISTA/Win7: The shortcut should be set to run as Administrator.

You are ready to go.

No comments: