User Tools

Site Tools


network:openvpn

This is an old revision of the document!




About

The ACM hosts 3 different VPNs for accessing our local network that vary by purpose.

  1. A host based VPN that requires a specific certificate for every client machine
  2. A user authentication VPN that requires an ACM username and password to connect, NOTE this method can only be used on one machine at a time
  3. A host based VPN that requires a specific certificate for every client machine and re-routes all the client's network traffic over the VPN network

Typical Use of each network

  1. Permanent automatic access to the ACM VPN for a machine
  2. Quick one off access to the network from a single machine
  3. Special case network access to the network and LAN bandwidth - not for general use

Getting Access

For access to VPN 2 (User Auth), just download this zip file and follow the directions below

For access to VPN 1 (Host Based), email sigsysadmin@acm.cs.uic.edu with a request. Include your acm login and the host name of your machine. The needed files will be sent to you and the setup will be about the same.

Client Setup

This setup details the setup of the user auth VPN. Setup for the host auth VPN is the same, with the exception of a couple of file names being different.

Windows Client (XP, Vista, 7)

Download the latest version of the OpenVPN installer from http://openvpn.net/index.php/open-source/downloads.html

Select the one that says “Windows Installer” in the first field of the table

(Currently version 2.2.2 as of June 18 2012)

Run the installer, the defaults should be fine

Go to start » Programs » OpenVPN » Shortcuts » OpenVPN configuration file directory

Copy the files from the zip file into that configuration directory, this should include:

  • client.ovpn
  • ta.key
  • ca.crt
  • client.key
  • client.crt
  • passwd

Edit the file 'passwd' in notepad to have your UIC ACM username as the first line and your ACM password as the second line. This will prevent you from needing to enter your password each time. (If you do not want to save you login this way then edit the line in the client.ovpn file that says 'auth-user-pass passwd' to say 'auth-user-pass')

Run “OpenVPN GUIAS ADMIN, OTHERWISE THE ROUTING WILL NOT WORK CORRECTLY

Double click the OpenVPN GUI icon in your taskbar, or right click the icon and then click 'connect' (you will be prompted for your password if you did not use the passwd file)

You should now be connected.

OS X client

Download the latest tunelblick client from http://code.google.com/p/tunnelblick/downloads/list (currently 3.0b10 )

Copy the following files to ~/Library/openvpn

  • client.conf
  • client.ovpn
  • ta.key
  • ca.crt
  • client.key
  • client.crt
  • passwd

Edit the file 'passwd' in a text editor to have your UIC ACM username as the first line and your ACM password as the second line. This will prevent you from needing to enter your password each time. (If you do not want to save you login this way then edit the line in the client.ovpn and client.conf file that says 'auth-user-pass passwd' to say 'auth-user-pass')

In the notification tray, click the tunnelblick icon » Connect (?not sure of name with new VPN?)

If prompted, enter your UICACM AD credentials

You should now be connected

Linux

Install the OpenVPN client from your distros offical package repos

On Ubuntu:

sudo apt-get install openvpn

On Arch:

sudo pacman -S openvpn

Throw the files in a directory, or inside the /etc/openvpn directory if you want this VPN connection to be started automatically if you are using the OpenVPN client daemon, after you unzip them

unzip acmuserauthvpn.zip

Edit the file 'passwd' in a text editor to have your UIC ACM username as the first line and your ACM password as the second line. This will prevent you from needing to enter your password each time. (If you do not want to save you login this way then edit the line in the client.conf file that says 'auth-user-pass passwd' to say 'auth-user-pass')

To connect run this command inside that directory

sudo openvpn client.conf

Enter your ACM user credentials, if prompted

You should now be connected

Server Side

This contains instructions for server side operations

Adding someone to the host based VPN

  • SSH into dvorak.cs.uic.edu, the ACM router
  • Sudo into root and go to /root/easy-rsa-host
  • source ./vars
  • ./build-key <acm user name>-<host name of machine without any spaces>
  • Hit enter through all the options, the defaults are set correctly
  • Just hit enter through the password prompt, do not set a password
  • Press 'y' to commit the changes when prompted
  • Copy the client.conf, client.ovpn, ta.key, ca.crt, <hostname>.crt, and <hostname>.key files from the 'keys' directory to give to the user
  • Edit the client.conf and client.ovpn files and change the 'cert <hostname>.crt' and 'key <hostname>.key' lines to use the correct files
  • Zip the files up and give them to the user, setup is about the same as with the user auth one, copy the files and start the client

The gw redirect VPN follows the same procedure, except the directory is /root/easy-rsa-host-gw for the key gen

Removing someone from the host based VPN

Untested

Follow the directions here

http://openvpn.net/index.php/open-source/documentation/howto.html

Under: “Revoking Certificates”

You may need to update the server config as mentioned in the How To

network/openvpn.1371158116.txt.gz · Last modified: 2021/05/02 21:36 (external edit)