The DSLAB provides OpenVPN access to authorized individuals. In order to utilize it, two steps need to take place:
To perform this step, one needs to become root on juicebar, and change into the /etc/openvpn/easy-rsa/ directory.
Perform the following steps:
Run the vars script as follows:
juicebar:/etc/openvpn/easy-rsa# . ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys juicebar:/etc/openvpn/easy-rsa#
You do not want to run clean-all, but you do want to see that message (and promptly ignore it). If you run clean-all, all existing certs/keys will be removed, preventing everyone from utilizing the DSLAB VPN
Next, we run the build-key script.. please substitute your DSLAB username in place of username in the example that follows:
juicebar:/etc/openvpn/easy-rsa# ./build-key client-username Generating a 1024 bit RSA private key .......................++++++ .............................................................................++++++ writing new private key to 'client-username.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----
You will then be immediately prompted for additional information that will be embedded within the key. For consistency, maintain the locational information as it relates to the DSLAB. Feel free to enter your own e-mail address (does not have to be your geneseo.edu e-mail).
Note that for several of the prompts, you'll just want to hit ENTER to accept the defaults.
Country Name (2 letter code) [US]: State or Province Name (full name) [NY]: Locality Name (eg, city) [Upstate]: Organization Name (eg, company) [BITS]: Organizational Unit Name (eg, section) []:DSLAB Common Name (eg, your name or your server's hostname) [client-username]: Email Address [haas@corning-cc.edu]:username@domain.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl.cnf DEBUG[load_index]: unique_subject = "yes" Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'NY' localityName :PRINTABLE:'Upstate' organizationName :PRINTABLE:'BITS' organizationalUnitName:PRINTABLE:'DSLAB' commonName :PRINTABLE:'client-username' emailAddress :IA5STRING:'username@domain.com' Certificate is to be certified until Jun 7 15:39:08 2021 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
With the new keys created, we should archive them up for transfer to our client machine. So, still on juicebar, do the following:
juicebar:/etc/openvpn/easy-rsa# cd keys juicebar:/etc/openvpn/easy-rsa/keys# tar cvf client-username.tar ca.crt client-username.crt client-username.key ca.crt client-username.crt client-username.key juicebar:/etc/openvpn/easy-rsa/keys#
Not only will you need some files on the client-side, but the server itself will need access to some of the new key files.
juicebar:/etc/openvpn/easy-rsa# cp -f *.pem client-username.* index.txt* serial* /etc/openvpn/dslab/ juicebar:/etc/openvpn/easy-rsa#
If you neglect to do this (or your keyfiles are removed from the /etc/openvpn/dslab directory on the server), you will not be able to authenticate with the server and therefore not be able to establish a VPN session.
There are mildly different ways to configure a VPN client depending on the OS.
If your client is a Linux system, you'll need to install OpenVPN (on debian-like systems, there should be a package called openvpn).
If the installation of OpenVPN does not create /etc/openvpn on your local system, be sure to create it (not strictly required as you can specify the location of the config and keys at runtime, but establishes a common location that makes debugging easier).
Remember that client-username.tar file you created when generating the key files? You'll want to copy that file to your local system, and place the contents into /etc/openvpn/dslab (you'll have to create that directory on your local system).
Additionally, in /etc/openvpn you'll want to make a file called dslab.conf which will contain some variant of the following:
############################################################################## # # DSLAB OpenVPN Client Configuration File (sample) # # This configuration is to facilitate the joining of the DSLAB VPN. # # Please replace all instances of USER with the actual user name (also the # name on the VPN certificate/key). # ############################################################################## ############################################################################## # VPN Server Information ############################################################################## remote 137.238.7.4 # IP of remote OpenVPN server port 1194 # Port on which to connect on server proto udp # Type of traffic {tcp-client|udp} ############################################################################## # Network Interfaces ############################################################################## dev-type tap # Type of interface to use {tap|tun} dev tap0 # Interface name (usually tun0) ############################################################################## # Credentials ############################################################################## cd /etc/openvpn # establish proper working directory key dslab/client-USER.key # Server key (private) ca dslab/ca.crt # Certificate (public) cert dslab/client-USER.crt # Server Cert (private) tls-cipher EDH-RSA-DES-CBC3-SHA # set tls cipher type ############################################################################## # Client Settings ############################################################################## comp-lzo # use fast LZO compression keepalive 10 120 # send packets to keep sessions alive nobind # don't bind to local address & port persist-key # don't re-read keys across restarts persist-tun # on restart, don't reset tun device pull # Follow route suggestions of server resolv-retry infinite # keep trying to connect if failure route-delay 8 # delay setting routes for 8 seconds tls-client # enable TLS and assume client role ############################################################################## # System Options ############################################################################## chroot /etc/openvpn # run in a chroot of VPN directory user nobody # after launching, drop privs group nobody # after launching, drop privs daemon # detach and run in background ############################################################################## # Verbosity/Logging Options ############################################################################## #status log/status.log # status log file log-append log/dslab.log # log file verb 3 # level of activity to log (0-11) mute 20 # log at most N consecutive messages ##############################################################################
Obviously, replace client-USER with your username (the same you specified when generating the key).
Also, create a /etc/openvpn/log directory on your local machine.
Finally, make sure that user nobody and group nobody exist (on some systems you may have a nogroup instead of nobody– in which case change that line in the config appropriately).
With this set, we can begin to test our config.
As root on your local machine (you'll likely have wanted to have been root to perform these prior steps as well), do the following:
yourmachine:~# openvpn /etc/openvpn/dslab.conf
If successful, your tap0 interface (run ifconfig) will get an IP address and you'll be able to ping/ssh/whatever to resources on the BITS network (DSLAB, LAIR, etc.)
Things rarely work fully on our first attempt… be it routes aren't properly propagated requiring additional tweaking, or DNS settings on the local machine need to be enhanced (add: nameserver 10.81.1.1 to your local /etc/resolv.conf).
Additionally, log information can be found in /etc/openvpn/log on both your local machine and juicebar can be used to aid in debugging connections. Be sure to tail -f files on both machines (dslab.log).
While one could probably configure OpenVPN manually, there exist some graphical tools that are quite effective. ViscosityVPN is $9 and well worth the investment.
Additionally, there is a free application called Tunnelblick that can also be made to work.
Configuration will be similar to Linux, but network devices will differ.
There IS an OpenVPN client for windows… ViscosityVPN! From the same developer that created the Mac version.