User Tools

Site Tools


network:openvpn

OpenVPN

About

The ACM hosts 3 different VPNs for accessing our local network that vary by purpose.

  1. A host based VPN that requires a specific certificate for every client machine
  2. A user authentication VPN that requires an ACM username and password to connect, NOTE this method can only be used on one machine at a time
  3. A host based VPN that requires a specific certificate for every client machine and re-routes all the client's network traffic over the VPN network

Typical Use of each network

  1. Permanent automatic access to the ACM VPN for a machine
  2. Quick one off access to the network from a single machine
  3. Special case network access to the network and LAN bandwidth - not for general use

Getting Access

For access to VPN 2 (User Auth), just download this zip file and follow the directions below

For access to VPN 1 (Host Based), email sigsysadmin@acm.cs.uic.edu with a request. Include your acm login and the host name of your machine. The needed files will be sent to you and the setup will be about the same.

Client Setup

This setup details the setup of the user auth VPN. Setup for the host auth VPN is the same, with the exception of a couple of file names being different. If you need to use the ACM's internal DNS servers, please read the last section

Windows Client (XP, Vista, 7)

Download the latest version of the OpenVPN installer from http://openvpn.net/index.php/open-source/downloads.html

Select the one that says “Windows Installer” in the first field of the table

(Currently version 2.2.2 as of June 18 2012)

Run the installer, the defaults should be fine

Go to start » Programs » OpenVPN » Shortcuts » OpenVPN configuration file directory

Copy the files from the zip file into that configuration directory, this should include:

  • client.ovpn
  • ta.key
  • ca.crt
  • client.key
  • client.crt
  • passwd

Edit the file 'passwd' in notepad to have your UIC ACM username as the first line and your ACM password as the second line. This will prevent you from needing to enter your password each time. (If you do not want to save you login this way then edit the line in the client.ovpn file that says 'auth-user-pass passwd' to say 'auth-user-pass')

Run “OpenVPN GUIAS ADMIN, OTHERWISE THE ROUTING WILL NOT WORK CORRECTLY

Double click the OpenVPN GUI icon in your taskbar, or right click the icon and then click 'connect' (you will be prompted for your password if you did not use the passwd file)

You should now be connected.

OS X client

Download the latest Viscosity client from https://webstore.illinois.edu/shop/product.aspx?zpid=2637 )

Download the following file ACM OVPN file

  1. Unzip the files which creates a “ACM-VPN-Files” folder
  2. Then in Viscosity go to Preferences
  3. Hit the [+] to add a new connection
  4. Import Connection…
  5. From File
  6. Select the UIC-ACM-VPN.ovpn file from the extracted files

It should say “Connection Imported Viscosity has successfully imported the connection”.

Click the Viscosity Icon and select the UIC-ACM-VPN. This will start the connection with ACM VPN server.

A prompt should pop up asking you to enter your UICACM AD credentials

You should now be connected.

Linux

Install the OpenVPN client from your distros offical package repos

On Ubuntu:

sudo apt-get install openvpn

On Arch:

sudo pacman -S openvpn

Throw the files in a directory, or inside the /etc/openvpn directory if you want this VPN connection to be started automatically if you are using the OpenVPN client daemon, after you unzip them

unzip acmuserauthvpn.zip

Edit the file 'passwd' in a text editor to have your UIC ACM username as the first line and your ACM password as the second line. This will prevent you from needing to enter your password each time. (If you do not want to save you login this way then edit the line in the client.conf file that says 'auth-user-pass passwd' to say 'auth-user-pass')

To connect run this command inside that directory

sudo openvpn client.conf

Enter your ACM user credentials, if prompted

You should now be connected

ACM DNS

Currently when connecting to the internal network via the VPN, your machine will not be automatically reconfigured to use our internal DNS servers for name resolution. This means that you will need to know the internal IP of any machine you wish to connect to inside the ACM network. In order to use our DNS service, you will need to set the DNS servers for the virtual interface manually. Please consult the documentation for your specific operating system configuration on how to manually set the DNS server you are using.

The valid servers are listed below

172.29.13.10
172.29.13.11
172.29.17.12

Server Side

This contains instructions for server side operations

Server Configuration

All server configs live on dvorak in the /etc/openvpn directory. Iptables on the server also needs to allow forwarding from the VPN interfaces tun0, tun1, and tun2.

Adding someone to the host based VPN

  • SSH into dvorak.cs.uic.edu, the ACM router
  • Sudo into root and go to /root/easy-rsa-host
  • source ./vars
  • ./build-key '<acm user name>-<host name of machine without any spaces>'
  • Hit enter through all the options, the defaults are set correctly
  • Just hit enter through the password prompt, do not set a password
  • Press 'y' to commit the changes when prompted
  • Copy the client.conf, client.ovpn, ta.key, ca.crt, <hostname>.crt, and <hostname>.key files from the 'keys' directory to give to the user
  • Edit the client.conf and client.ovpn files and change the 'cert <hostname>.crt' and 'key <hostname>.key' lines to use the correct files
  • Zip the files up and give them to the user, setup is about the same as with the user auth one, copy the files and start the client

The gw redirect VPN follows the same procedure, except the directory is /root/easy-rsa-host-gw for the key gen

Removing someone from the host based VPN

FIXME

Untested

Follow the directions here

http://openvpn.net/index.php/open-source/documentation/howto.html

Under: “Revoking Certificates”

You may need to update the server config as mentioned in the How To

network/openvpn.txt · Last modified: 2016/11/14 19:32 by hui3