======DSLAB VPN access======
The DSLAB provides OpenVPN access to authorized individuals. In order to utilize it, two steps need to take place:
- generate a certificate on the DSLAB router
- place the necessary cert/key files and config file on the client machine
=====Generate VPN certificates=====
To perform this step, one needs to become root on juicebar, and change into the **/etc/openvpn/easy-rsa/** directory.
Perform the following steps:
====Establish variables====
Run the **vars** script as follows:
juicebar:/etc/openvpn/easy-rsa# . ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
juicebar:/etc/openvpn/easy-rsa#
You do **not** want to run clean-all, but you do want to see that message (and promptly ignore it). If you run clean-all, all existing certs/keys will be removed, preventing everyone from utilizing the DSLAB VPN
====Generate the key====
Next, we run the **build-key** script.. please substitute your DSLAB username in place of **//username//** in the example that follows:
juicebar:/etc/openvpn/easy-rsa# ./build-key client-username
Generating a 1024 bit RSA private key
.......................++++++
.............................................................................++++++
writing new private key to 'client-username.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
You will then be immediately prompted for additional information that will be embedded within the key. For consistency, maintain the locational information as it relates to the DSLAB. Feel free to enter your own e-mail address (does not have to be your geneseo.edu e-mail).
Note that for several of the prompts, you'll just want to hit ENTER to accept the defaults.
Country Name (2 letter code) [US]:
State or Province Name (full name) [NY]:
Locality Name (eg, city) [Upstate]:
Organization Name (eg, company) [BITS]:
Organizational Unit Name (eg, section) []:DSLAB
Common Name (eg, your name or your server's hostname) [client-username]:
Email Address [haas@corning-cc.edu]:username@domain.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
DEBUG[load_index]: unique_subject = "yes"
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'NY'
localityName :PRINTABLE:'Upstate'
organizationName :PRINTABLE:'BITS'
organizationalUnitName:PRINTABLE:'DSLAB'
commonName :PRINTABLE:'client-username'
emailAddress :IA5STRING:'username@domain.com'
Certificate is to be certified until Jun 7 15:39:08 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
====archive the key files====
With the new keys created, we should archive them up for transfer to our client machine. So, still on juicebar, do the following:
juicebar:/etc/openvpn/easy-rsa# cd keys
juicebar:/etc/openvpn/easy-rsa/keys# tar cvf client-username.tar ca.crt client-username.crt client-username.key
ca.crt
client-username.crt
client-username.key
juicebar:/etc/openvpn/easy-rsa/keys#
====copy necessary key files to server directory====
Not only will you need some files on the client-side, but the server itself will need access to some of the new key files.
juicebar:/etc/openvpn/easy-rsa# cp -f *.pem client-username.* index.txt* serial* /etc/openvpn/dslab/
juicebar:/etc/openvpn/easy-rsa#
If you neglect to do this (or your keyfiles are removed from the **/etc/openvpn/dslab** directory on the server), you will not be able to authenticate with the server and therefore not be able to establish a VPN session.
======VPN client config======
There are mildly different ways to configure a VPN client depending on the OS.
=====Linux=====
If your client is a Linux system, you'll need to install **OpenVPN** (on debian-like systems, there should be a package called **openvpn**).
If the installation of OpenVPN does not create **/etc/openvpn** on your local system, be sure to create it (not strictly required as you can specify the location of the config and keys at runtime, but establishes a common location that makes debugging easier).
====keys====
Remember that **client-username.tar** file you created when generating the key files? You'll want to copy that file to your local system, and place the contents into **/etc/openvpn/dslab** (you'll have to create that directory on your local system).
====config====
Additionally, in **/etc/openvpn** you'll want to make a file called **dslab.conf** which will contain some variant of the following:
##############################################################################
#
# DSLAB OpenVPN Client Configuration File (sample)
#
# This configuration is to facilitate the joining of the DSLAB VPN.
#
# Please replace all instances of USER with the actual user name (also the
# name on the VPN certificate/key).
#
##############################################################################
##############################################################################
# VPN Server Information
##############################################################################
remote 137.238.7.4 # IP of remote OpenVPN server
port 1194 # Port on which to connect on server
proto udp # Type of traffic {tcp-client|udp}
##############################################################################
# Network Interfaces
##############################################################################
dev-type tap # Type of interface to use {tap|tun}
dev tap0 # Interface name (usually tun0)
##############################################################################
# Credentials
##############################################################################
cd /etc/openvpn # establish proper working directory
key dslab/client-USER.key # Server key (private)
ca dslab/ca.crt # Certificate (public)
cert dslab/client-USER.crt # Server Cert (private)
tls-cipher EDH-RSA-DES-CBC3-SHA # set tls cipher type
##############################################################################
# Client Settings
##############################################################################
comp-lzo # use fast LZO compression
keepalive 10 120 # send packets to keep sessions alive
nobind # don't bind to local address & port
persist-key # don't re-read keys across restarts
persist-tun # on restart, don't reset tun device
pull # Follow route suggestions of server
resolv-retry infinite # keep trying to connect if failure
route-delay 8 # delay setting routes for 8 seconds
tls-client # enable TLS and assume client role
##############################################################################
# System Options
##############################################################################
chroot /etc/openvpn # run in a chroot of VPN directory
user nobody # after launching, drop privs
group nobody # after launching, drop privs
daemon # detach and run in background
##############################################################################
# Verbosity/Logging Options
##############################################################################
#status log/status.log # status log file
log-append log/dslab.log # log file
verb 3 # level of activity to log (0-11)
mute 20 # log at most N consecutive messages
##############################################################################
Obviously, replace client-**USER** with your username (the same you specified when generating the key).
Also, create a **/etc/openvpn/log** directory on your local machine.
Finally, make sure that user **nobody** and group **nobody** exist (on some systems you may have a **nogroup** instead of **nobody**-- in which case change that line in the config appropriately).
With this set, we can begin to test our config.
As root on your local machine (you'll likely have wanted to have been root to perform these prior steps as well), do the following:
yourmachine:~# openvpn /etc/openvpn/dslab.conf
If successful, your **tap0** interface (run **ifconfig**) will get an IP address and you'll be able to ping/ssh/whatever to resources on the BITS network (DSLAB, LAIR, etc.)
Things rarely work fully on our first attempt... be it routes aren't properly propagated requiring additional tweaking, or DNS settings on the local machine need to be enhanced (add: nameserver 10.81.1.1 to your local **/etc/resolv.conf**).
Additionally, log information can be found in **/etc/openvpn/log** on both your local machine and juicebar can be used to aid in debugging connections. Be sure to **tail -f** files on both machines (dslab.log).
=====Mac OS X=====
While one could probably configure OpenVPN manually, there exist some graphical tools that are quite effective. ViscosityVPN is $9 and well worth the investment.
Additionally, there is a free application called Tunnelblick that can also be made to work.
=====OpenBSD=====
Configuration will be similar to Linux, but network devices will differ.
=====Windows=====
There IS an OpenVPN client for windows... ViscosityVPN! From the same developer that created the Mac version.