network:openvpn
Differences
This shows you the differences between two versions of the page.
|
network:openvpn [2016/04/05 23:29] walter [OS X client] |
network:openvpn [2021/05/02 21:36] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== OpenVPN ====== | ||
| - | |||
| - | ====== About ====== | ||
| - | |||
| - | The ACM hosts 3 different VPNs for accessing our local network that vary by purpose. | ||
| - | - A host based VPN that requires a specific certificate for every client machine | ||
| - | - A user authentication VPN that requires an ACM username and password to connect, **NOTE** this method can only be used on one machine at a time | ||
| - | - A host based VPN that requires a specific certificate for every client machine and re-routes all the client's network traffic over the VPN network | ||
| - | |||
| - | Typical Use of each network | ||
| - | - Permanent automatic access to the ACM VPN for a machine | ||
| - | - Quick one off access to the network from a single machine | ||
| - | - Special case network access to the network and LAN bandwidth - **not for general use | ||
| - | ** | ||
| - | ====== Getting Access ====== | ||
| - | |||
| - | For access to VPN 2 (User Auth), just download **{{:acmuserauthvpn.zip|this zip file}}** and follow the directions below | ||
| - | |||
| - | For access to VPN 1 (Host Based), email sigsysadmin@acm.cs.uic.edu with a request. Include your acm login and the host name of your machine. The needed files will be sent to you and the setup will be about the same. | ||
| - | |||
| - | ====== Client Setup ====== | ||
| - | |||
| - | This setup details the setup of the user auth VPN. Setup for the host auth VPN is the same, with the exception of a couple of file names being different. **If you need to use the ACM's internal DNS servers, please read the last section** | ||
| - | ===== Windows Client (XP, Vista, 7) ===== | ||
| - | |||
| - | Download the latest version of the OpenVPN installer from http://openvpn.net/index.php/open-source/downloads.html | ||
| - | |||
| - | Select the one that says "Windows Installer" in the first field of the table | ||
| - | |||
| - | (Currently version 2.2.2 as of June 18 2012) | ||
| - | |||
| - | Run the installer, the defaults should be fine | ||
| - | |||
| - | Go to start >> Programs >> OpenVPN >> Shortcuts >> OpenVPN configuration file directory | ||
| - | |||
| - | Copy the files from the zip file into that configuration directory, this should include: | ||
| - | * client.ovpn | ||
| - | * ta.key | ||
| - | * ca.crt | ||
| - | * client.key | ||
| - | * client.crt | ||
| - | * passwd | ||
| - | |||
| - | Edit the file 'passwd' in notepad to have your UIC ACM username as the first line and your ACM password as the second line. This will prevent you from needing to enter your password each time. (If you do not want to save you login this way then edit the line in the client.ovpn file that says 'auth-user-pass passwd' to say 'auth-user-pass') | ||
| - | |||
| - | Run "OpenVPN GUI" **AS ADMIN, OTHERWISE THE ROUTING WILL NOT WORK CORRECTLY** | ||
| - | |||
| - | Double click the OpenVPN GUI icon in your taskbar, or right click the icon and then click 'connect' (you will be prompted for your password if you did not use the passwd file) | ||
| - | |||
| - | You should now be connected. | ||
| - | |||
| - | ===== OS X client ===== | ||
| - | Download the latest tunelblick client from [[https://tunnelblick.net/downloads.html]] ) | ||
| - | |||
| - | Copy the following files to ~/Library/openvpn | ||
| - | * client.conf | ||
| - | * client.ovpn | ||
| - | * ta.key | ||
| - | * ca.crt | ||
| - | * client.key | ||
| - | * client.crt | ||
| - | * passwd | ||
| - | |||
| - | Edit the file 'passwd' in a text editor to have your UIC ACM username as the first line and your ACM password as the second line. This will prevent you from needing to enter your password each time. (If you do not want to save you login this way then edit the line in the client.ovpn and client.conf file that says 'auth-user-pass passwd' to say 'auth-user-pass') | ||
| - | |||
| - | In the notification tray, click the tunnelblick icon >> Connect (?not sure of name with new VPN?) | ||
| - | |||
| - | If prompted, enter your UICACM AD credentials | ||
| - | |||
| - | You should now be connected | ||
| - | |||
| - | ===== Linux ===== | ||
| - | Install the OpenVPN client from your distros offical package repos | ||
| - | |||
| - | On Ubuntu: | ||
| - | <code> | ||
| - | sudo apt-get install openvpn | ||
| - | </code> | ||
| - | |||
| - | On Arch: | ||
| - | <code> | ||
| - | sudo pacman -S openvpn | ||
| - | </code> | ||
| - | |||
| - | Throw the files in a directory, or inside the /etc/openvpn directory if you want this VPN connection to be started automatically if you are using the OpenVPN client daemon, after you unzip them | ||
| - | <code> | ||
| - | unzip acmuserauthvpn.zip | ||
| - | </code> | ||
| - | |||
| - | |||
| - | Edit the file 'passwd' in a text editor to have your UIC ACM username as the first line and your ACM password as the second line. This will prevent you from needing to enter your password each time. (If you do not want to save you login this way then edit the line in the client.conf file that says 'auth-user-pass passwd' to say 'auth-user-pass') | ||
| - | |||
| - | |||
| - | To connect run this command inside that directory | ||
| - | <code> | ||
| - | sudo openvpn client.conf | ||
| - | </code> | ||
| - | |||
| - | |||
| - | Enter your ACM user credentials, if prompted | ||
| - | |||
| - | |||
| - | You should now be connected | ||
| - | |||
| - | ===== ACM DNS ===== | ||
| - | |||
| - | Currently when connecting to the internal network via the VPN, your machine will not be automatically reconfigured to use our internal DNS servers for name resolution. This means that you will need to know the internal IP of any machine you wish to connect to inside the ACM network. In order to use our DNS service, you will need to set the DNS servers for the virtual interface manually. Please consult the documentation for your specific operating system configuration on how to manually set the DNS server you are using. | ||
| - | |||
| - | The valid servers are listed below | ||
| - | <code> | ||
| - | 172.29.13.10 | ||
| - | 172.29.17.12 | ||
| - | </code> | ||
| - | |||
| - | |||
| - | ====== Server Side ====== | ||
| - | |||
| - | This contains instructions for server side operations | ||
| - | |||
| - | |||
| - | ===== Adding someone to the host based VPN ===== | ||
| - | |||
| - | * SSH into dvorak.cs.uic.edu, the ACM router | ||
| - | * Sudo into root and go to /root/easy-rsa-host | ||
| - | * source ./vars | ||
| - | * ./build-key '<acm user name>-<host name of machine without any spaces>' | ||
| - | * Hit enter through all the options, the defaults are set correctly | ||
| - | * Just hit enter through the password prompt, **do not set a password** | ||
| - | * Press 'y' to commit the changes when prompted | ||
| - | * Copy the client.conf, client.ovpn, ta.key, ca.crt, <hostname>.crt, and <hostname>.key files from the 'keys' directory to give to the user | ||
| - | * Edit the client.conf and client.ovpn files and change the 'cert <hostname>.crt' and 'key <hostname>.key' lines to use the correct files | ||
| - | * Zip the files up and give them to the user, setup is about the same as with the user auth one, copy the files and start the client | ||
| - | |||
| - | |||
| - | The gw redirect VPN follows the same procedure, except the directory is /root/easy-rsa-host-gw for the key gen | ||
| - | |||
| - | ===== Removing someone from the host based VPN ===== | ||
| - | |||
| - | FIXME | ||
| - | |||
| - | **Untested** | ||
| - | |||
| - | Follow the directions here | ||
| - | |||
| - | http://openvpn.net/index.php/open-source/documentation/howto.html | ||
| - | |||
| - | Under: "Revoking Certificates" | ||
| - | |||
| - | You may need to update the server config as mentioned in the How To | ||
| - | |||
network/openvpn.txt ยท Last modified: 2021/05/02 21:36 (external edit)
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
