Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

pipetogrep

macrumors 6502
Original poster
Jan 27, 2021
349
499
Hi all,

A buddy of mine and I wanted an easy way to IM, audio, and possibly video chat on our PPC Macs. After looking around for existing programs that still worked we settled on the idea of using Bonjour with iChat since it's built in and requires no setup. The problem is we live on opposite sides of the USA and Bonjour is for local networks only.

That's where a VPN comes in. By running OpenVPN in layer 2 (TAP) mode, my friend is able to use Tunnelblick to VPN into my network and we are able to successfully audio chat on iChat. Here are the technical details for my setup. This does assume you have some experience with OpenVPN.

Network​

I use a managed switch with the ability to create VLANs and an extra interface on my pfSense router to create a separate isolated network from the rest of my environment. This is because using an older version of Tunnelblick and OS X requires using some less secure protocols on the VPN. It also makes subnet management much easier.

The VLANed network runs on 192.168.50.0/24 with a DHCP range of 192.168.50.50 - 192.168.50.100

Router/VPN Setup​

Set up an extra interface on pfSense. Mine is called "RetroLAN". That connects to a VLANed port on the managed switch. I added firewall rules so it has no access to any of the other interfaces or subnets on my network. The firewall rules also blocks access to the router management interface.

OpenVPN is running directly on the router. The details are as follows:

Certificate authority and certificate:

In pfSenses certificate manager, create a certificate authority and certificate. Tiger, older Tunnelblick, or both won't be able to verify a CA cert using SHA256. As such, you'll have to create the CA using the less secure SHA1 digest algorithm. Use SHA1 when you create the VPN server certificate as well.

VPN Server:
  • Server Mode - Remote server (User Auth)
  • Backend for authentication - Local Database - This did require me to make an account for my friend on the router.
  • Protocol - UDP on IPV4
  • Device mode - TAP
  • Interface - WAN
  • Local port - 1194
  • Description - Retro LAN
  • TLS Configuration - Not selected
  • TLS keydir direction - Both directions
  • Peer Certificate Authority - Select the CA you created earlier
  • Peer Certificate Revocation list - None
  • Server certificate - Select the certificate you created earlier
  • DH Parameter Length - 1024
  • ECDH curve - Use Default
  • Encryption Algorithm - BF-CBC (128 bit key by default, 64 bit block) - Less secure I know, but we're talking about old OSes and VPN clients!
  • Enable NCP - No - This didn't exist with the older version of OpenVPN (2.0) that Tunnelblick 3.0 uses
  • NCP Algorithms - Doesn't matter. NCP is disabled.
  • Auth digest algorithm - SHA1 - Again, old OS and VPN client
  • Hardware Crypto - BSD cryptodev engine - You'll have to find out if your router supports that or not. If you are uncertain, choose no acceleration.
  • Certificate depth - Do not check
  • IPV4 Tunnel Network - Leave blank - This is not necessary for TAP VPNs
  • IPV6 Tunnel Network - Leave blank - This is not necessary for TAP VPNs
  • Bridge DHCP - Enable
  • Bridge Interface - Select the NIC interface you created when setting up the network. In my case it is "RETRO" on igb2
  • Bridge Route Gateway - Disable
  • Server Bridge DHCP Start - 192.168.50.101 - Be sure to select a DHCP range outside of what you set up for the interface's DHCP server.
  • Server Bridge DHCP End - 192.168.50.150 - Be sure to select a DHCP range outside of what you set up for the interface's DHCP server.
  • Redirect IPv4 Gateway - Disable
  • Redirect IPv6 Gateway - Disable
  • IPv4 Local network(s) - Leave blank
  • IPv6 Local network(s) - Leave blank
  • Concurrent connections - Leave blank
  • Compression - LZA Compression [Legacy style, comp-lzo yes]
  • Push Compression - Disabled
  • Type-of-Service - Disabled
  • Inter-client communication (THIS IS IMPORTANT) - Enable - Without this, the VPN clients can't communicate and Bonjour won't work.
  • Duplicate Connection - Disabled
  • Dynamic IP - Disabled
  • Inactive - 0
  • Ping method - keepalive
  • Interval - 10
  • Timeout - 60
  • DNS Default Domain - Disabled
  • DNS Server enable - Disabled
  • Block Outside DNS - Disabled
  • Force DNS cache update - Disabled
  • NTP Server enable - Disabled
  • NetBIOS enable - Disabled
  • Custom options - None
  • Username as Common Name - Enabled
  • UDP Fast I/O - Disabled
  • Exit Notify - Disabled
  • Send/Receive Buffer - Default
  • Gateway creation - Both
  • Verbosity level - Default
Be sure to set up firewall rules to allow port 1194 through the NAT, otherwise no one will be able to connect.

Client Setup (Tunnelblick 3.0)​

This will run directly on your Mac. You need to download and install a version of Tunnelblick that works with Tiger. Unfortunately, the latest Tiger compatible version (3.5) from the official website crashes. I ended up using Tunnelblick 3.0 from this bundle https://macintoshgarden.org/apps/macdvd187. I was unable to find any other versions on the web.

After installaling Tunnelblick:
  1. Open ~/Library/Application Support/Tunnelblick/Configurations.
  2. Download your certificate authority cert and save it into the above folder as ca.crt
  3. Create a file called retro.ovpn and paste this into it
    Code:
    dev tappersist-tun
    persist-key
    cipher BF-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote YOUR_HOSTNAME_OR_IP 1194 udp
    nobind
    auth-user-pass
    ns-cert-type server
    comp-lzo
    ca ca.crt
    redirect-gateway def1
    setenv CLIENT_CERT 0
  4. Select Tunnelblick from the menu bar and connect to "retro". It should as for your user name and password. Use your credentials from pfSense. Have your buddy use their own credentials from pfSense as well. You should have created a seprate set earlier.
  5. Open iChat on both ends and enjoy!
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.