====== OpenVPN ======
====== About ======
The ACM hosts 3 different VPNs for accessing our local network that vary by purpose.
- A host based VPN that requires a specific certificate for every client machine
- A user authentication VPN that requires an ACM username and password to connect, **NOTE** this method can only be used on one machine at a time
- A host based VPN that requires a specific certificate for every client machine and re-routes all the client's network traffic over the VPN network
Typical Use of each network
- Permanent automatic access to the ACM VPN for a machine
- Quick one off access to the network from a single machine
- Special case network access to the network and LAN bandwidth - **not for general use
**
====== Getting Access ======
For access to VPN 2 (User Auth), just download **{{:acmuserauthvpn.zip|this zip file}}** and follow the directions below
For access to VPN 1 (Host Based), email sigsysadmin@acm.cs.uic.edu with a request. Include your acm login and the host name of your machine. The needed files will be sent to you and the setup will be about the same.
====== Client Setup ======
This setup details the setup of the user auth VPN. Setup for the host auth VPN is the same, with the exception of a couple of file names being different. **If you need to use the ACM's internal DNS servers, please read the last section**
===== Windows Client (XP, Vista, 7) =====
Download the latest version of the OpenVPN installer from http://openvpn.net/index.php/open-source/downloads.html
Select the one that says "Windows Installer" in the first field of the table
(Currently version 2.2.2 as of June 18 2012)
Run the installer, the defaults should be fine
Go to start >> Programs >> OpenVPN >> Shortcuts >> OpenVPN configuration file directory
Copy the files from the zip file into that configuration directory, this should include:
* client.ovpn
* ta.key
* ca.crt
* client.key
* client.crt
* passwd
Edit the file 'passwd' in notepad to have your UIC ACM username as the first line and your ACM password as the second line. This will prevent you from needing to enter your password each time. (If you do not want to save you login this way then edit the line in the client.ovpn file that says 'auth-user-pass passwd' to say 'auth-user-pass')
Run "OpenVPN GUI" **AS ADMIN, OTHERWISE THE ROUTING WILL NOT WORK CORRECTLY**
Double click the OpenVPN GUI icon in your taskbar, or right click the icon and then click 'connect' (you will be prompted for your password if you did not use the passwd file)
You should now be connected.
===== OS X client =====
Download the latest Viscosity client from [[https://webstore.illinois.edu/shop/product.aspx?zpid=2637]] )
Download the following file
{{ :network:uic-acm-vpn.ovpn | ACM OVPN file}}
- Unzip the files which creates a "ACM-VPN-Files" folder
- Then in Viscosity go to Preferences
- Hit the [+] to add a new connection
- Import Connection...
- From File
- Select the UIC-ACM-VPN.ovpn file from the extracted files
It should say
"Connection Imported
Viscosity has successfully imported the connection".
Click the Viscosity Icon and select the UIC-ACM-VPN. This will start the connection with ACM VPN server.
A prompt should pop up asking you to enter your UICACM AD credentials
You should now be connected.
===== Linux =====
Install the OpenVPN client from your distros offical package repos
On Ubuntu:
sudo apt-get install openvpn
On Arch:
sudo pacman -S openvpn
Throw the files in a directory, or inside the /etc/openvpn directory if you want this VPN connection to be started automatically if you are using the OpenVPN client daemon, after you unzip them
unzip acmuserauthvpn.zip
Edit the file 'passwd' in a text editor to have your UIC ACM username as the first line and your ACM password as the second line. This will prevent you from needing to enter your password each time. (If you do not want to save you login this way then edit the line in the client.conf file that says 'auth-user-pass passwd' to say 'auth-user-pass')
To connect run this command inside that directory
sudo openvpn client.conf
Enter your ACM user credentials, if prompted
You should now be connected
===== ACM DNS =====
Currently when connecting to the internal network via the VPN, your machine will not be automatically reconfigured to use our internal DNS servers for name resolution. This means that you will need to know the internal IP of any machine you wish to connect to inside the ACM network. In order to use our DNS service, you will need to set the DNS servers for the virtual interface manually. Please consult the documentation for your specific operating system configuration on how to manually set the DNS server you are using.
The valid servers are listed below
172.29.13.10
172.29.13.11
172.29.17.12
====== Server Side ======
This contains instructions for server side operations
===== Server Configuration =====
All server configs live on dvorak in the /etc/openvpn directory. Iptables on the server also needs to allow forwarding from the VPN interfaces tun0, tun1, and tun2.
===== Adding someone to the host based VPN =====
* SSH into dvorak.cs.uic.edu, the ACM router
* Sudo into root and go to /root/easy-rsa-host
* source ./vars
* ./build-key '-'
* Hit enter through all the options, the defaults are set correctly
* Just hit enter through the password prompt, **do not set a password**
* Press 'y' to commit the changes when prompted
* Copy the client.conf, client.ovpn, ta.key, ca.crt, .crt, and .key files from the 'keys' directory to give to the user
* Edit the client.conf and client.ovpn files and change the 'cert .crt' and 'key .key' lines to use the correct files
* Zip the files up and give them to the user, setup is about the same as with the user auth one, copy the files and start the client
The gw redirect VPN follows the same procedure, except the directory is /root/easy-rsa-host-gw for the key gen
===== Removing someone from the host based VPN =====
FIXME
**Untested**
Follow the directions here
http://openvpn.net/index.php/open-source/documentation/howto.html
Under: "Revoking Certificates"
You may need to update the server config as mentioned in the How To