User Tools

Site Tools


dslab:vpnconfig

DSLAB VPN access

The DSLAB provides OpenVPN access to authorized individuals. In order to utilize it, two steps need to take place:

  1. generate a certificate on the DSLAB router
  2. place the necessary cert/key files and config file on the client machine

Generate VPN certificates

To perform this step, one needs to become root on juicebar, and change into the /etc/openvpn/easy-rsa/ directory.

Perform the following steps:

Establish variables

Run the vars script as follows:

juicebar:/etc/openvpn/easy-rsa# . ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
juicebar:/etc/openvpn/easy-rsa# 

You do not want to run clean-all, but you do want to see that message (and promptly ignore it). If you run clean-all, all existing certs/keys will be removed, preventing everyone from utilizing the DSLAB VPN

Generate the key

Next, we run the build-key script.. please substitute your DSLAB username in place of username in the example that follows:

juicebar:/etc/openvpn/easy-rsa# ./build-key client-username
Generating a 1024 bit RSA private key
.......................++++++
.............................................................................++++++
writing new private key to 'client-username.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----

You will then be immediately prompted for additional information that will be embedded within the key. For consistency, maintain the locational information as it relates to the DSLAB. Feel free to enter your own e-mail address (does not have to be your geneseo.edu e-mail).

Note that for several of the prompts, you'll just want to hit ENTER to accept the defaults.

Country Name (2 letter code) [US]:
State or Province Name (full name) [NY]:
Locality Name (eg, city) [Upstate]:
Organization Name (eg, company) [BITS]:
Organizational Unit Name (eg, section) []:DSLAB
Common Name (eg, your name or your server's hostname) [client-username]:
Email Address [haas@corning-cc.edu]:username@domain.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
DEBUG[load_index]: unique_subject = "yes"
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'NY'
localityName          :PRINTABLE:'Upstate'
organizationName      :PRINTABLE:'BITS'
organizationalUnitName:PRINTABLE:'DSLAB'
commonName            :PRINTABLE:'client-username'
emailAddress          :IA5STRING:'username@domain.com'
Certificate is to be certified until Jun  7 15:39:08 2021 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

archive the key files

With the new keys created, we should archive them up for transfer to our client machine. So, still on juicebar, do the following:

juicebar:/etc/openvpn/easy-rsa# cd keys
juicebar:/etc/openvpn/easy-rsa/keys# tar cvf client-username.tar ca.crt client-username.crt client-username.key
ca.crt
client-username.crt
client-username.key
juicebar:/etc/openvpn/easy-rsa/keys# 

copy necessary key files to server directory

Not only will you need some files on the client-side, but the server itself will need access to some of the new key files.

juicebar:/etc/openvpn/easy-rsa# cp -f *.pem client-username.* index.txt* serial* /etc/openvpn/dslab/
juicebar:/etc/openvpn/easy-rsa# 

If you neglect to do this (or your keyfiles are removed from the /etc/openvpn/dslab directory on the server), you will not be able to authenticate with the server and therefore not be able to establish a VPN session.

VPN client config

There are mildly different ways to configure a VPN client depending on the OS.

Linux

If your client is a Linux system, you'll need to install OpenVPN (on debian-like systems, there should be a package called openvpn).

If the installation of OpenVPN does not create /etc/openvpn on your local system, be sure to create it (not strictly required as you can specify the location of the config and keys at runtime, but establishes a common location that makes debugging easier).

keys

Remember that client-username.tar file you created when generating the key files? You'll want to copy that file to your local system, and place the contents into /etc/openvpn/dslab (you'll have to create that directory on your local system).

config

Additionally, in /etc/openvpn you'll want to make a file called dslab.conf which will contain some variant of the following:

##############################################################################
#
#   DSLAB OpenVPN Client Configuration File (sample)
#
#   This configuration is to facilitate the joining of the DSLAB VPN.
#
#   Please replace all instances of USER with the actual user name (also the
#   name on the VPN certificate/key).
#
##############################################################################

##############################################################################
#   VPN Server Information
##############################################################################
remote          137.238.7.4             # IP of remote OpenVPN server
port            1194                    # Port on which to connect on server
proto           udp                     # Type of traffic {tcp-client|udp}

##############################################################################
#   Network Interfaces
##############################################################################
dev-type        tap                     # Type of interface to use {tap|tun}
dev             tap0                    # Interface name (usually tun0)

##############################################################################
#   Credentials
##############################################################################
cd              /etc/openvpn            # establish proper working directory
key             dslab/client-USER.key   # Server key (private)
ca              dslab/ca.crt            # Certificate (public)
cert            dslab/client-USER.crt   # Server Cert (private)
tls-cipher      EDH-RSA-DES-CBC3-SHA    # set tls cipher type

##############################################################################
#   Client Settings
##############################################################################
comp-lzo                                # use fast LZO compression
keepalive       10      120             # send packets to keep sessions alive
nobind                                  # don't bind to local address & port
persist-key                             # don't re-read keys across restarts
persist-tun                             # on restart, don't reset tun device
pull                                    # Follow route suggestions of server
resolv-retry    infinite                # keep trying to connect if failure
route-delay     8                       # delay setting routes for 8 seconds
tls-client                              # enable TLS and assume client role

##############################################################################
#   System Options
##############################################################################
chroot          /etc/openvpn            # run in a chroot of VPN directory
user            nobody                  # after launching, drop privs
group           nobody                  # after launching, drop privs
daemon                                  # detach and run in background

##############################################################################
#   Verbosity/Logging Options
##############################################################################
#status         log/status.log          # status log file
log-append      log/dslab.log           # log file
verb            3                       # level of activity to log (0-11)
mute            20                      # log at most N consecutive messages

##############################################################################

Obviously, replace client-USER with your username (the same you specified when generating the key).

Also, create a /etc/openvpn/log directory on your local machine.

Finally, make sure that user nobody and group nobody exist (on some systems you may have a nogroup instead of nobody– in which case change that line in the config appropriately).

With this set, we can begin to test our config.

As root on your local machine (you'll likely have wanted to have been root to perform these prior steps as well), do the following:

yourmachine:~# openvpn /etc/openvpn/dslab.conf

If successful, your tap0 interface (run ifconfig) will get an IP address and you'll be able to ping/ssh/whatever to resources on the BITS network (DSLAB, LAIR, etc.)

Things rarely work fully on our first attempt… be it routes aren't properly propagated requiring additional tweaking, or DNS settings on the local machine need to be enhanced (add: nameserver 10.81.1.1 to your local /etc/resolv.conf).

Additionally, log information can be found in /etc/openvpn/log on both your local machine and juicebar can be used to aid in debugging connections. Be sure to tail -f files on both machines (dslab.log).

Mac OS X

While one could probably configure OpenVPN manually, there exist some graphical tools that are quite effective. ViscosityVPN is $9 and well worth the investment.

Additionally, there is a free application called Tunnelblick that can also be made to work.

OpenBSD

Configuration will be similar to Linux, but network devices will differ.

Windows

There IS an OpenVPN client for windows… ViscosityVPN! From the same developer that created the Mac version.

dslab/vpnconfig.txt · Last modified: 2011/06/15 15:50 by hps1